One-sub-symbol linear repair schemes

ABSTRACT

A method for repairing a single erasure in a Reed Solomon code in a system of a plurality of n storage nodes and a controller, wherein a content of each storage node is a codeword and each node stores a vector v. The method includes identifying a failed storage node; transmitting an index of the failed storage node to each surviving storage node; multiplying the content of each node i by a j-th component of a vector that is a permutation of elements of vector v that correspond to the surviving storage nodes; determining a trace map of the result and converting the result from an m×r bit representation into a reduced representation of r bits; reconstructing the content of the failed storage node from the reduced representation of each surviving node&#39;s content; and outputting the reconstructed content of the failed storage node.

BACKGROUND Technical Field

Embodiments of the present disclosure are directed to methods of repairing corrupted digital data.

Discussion of the Related Art

In coding theory, Reed-Solomon (RS) codes form a class of error-correcting codes (ECCs) that are constructed using finite fields. RS codes can be defined as follows. Let q be a prime power, and let

_(q) be the finite field of q elements. For a subset I⊆

_(q), an enumeration I:={x₁, . . . , x_(n)} of I, with n:=|l|, and a positive integer k≤n, the RS code with evaluation set l and dimension k is defined as the set of length-n vectors in

_(q) ^(n) obtained by evaluating all polynomials ƒ(X)∈

_(q)[X] of degree up to k−1 on the points of I. Exlplicitly, the RS code with evaluation set I and dimension k is defined as {(ƒ(x ₁), . . . ,ƒ(x _(n))|ƒ∈

_(q)[x],deg(ƒ)≤k−1}.

RS codes allow a precise control over the number of symbol erasures correctable by the code during code design. In particular, it is possible to design RS codes that can correct multiple symbol erasures.

A generalized RS (GRS) code is obtained by coordinate-wise multiplication of all codewords of an RS code of length n by the entries of some pre-defined vector (a₁, . . . , a_(n)) with non-zero entries in the same field over which the RS code is defined. Erasure decoding of a GRS code can be reduced to that of an RS code by the following steps: (1) Each surviving node divides its content by the corresponding a_(i); (2) The system performs RS erasure decoding, possibly with low-bandwidth in case of a single erasure; and (3) The reconstructed RS symbols are multiplied by the corresponding a_(i) in order to be converted to the required reconstructed US symbols.

An exemplary application of RS codes is encoding stored data. For example, a host may write incoming messages to a storage array of unreliable “nodes”. According to an embodiment, a node includes memory and some processing capability. In a flash array, a node may include an individual SSD with or without an “augmented” controller for performing, e.g., the encoding calculations on top of the usual tasks performed by an individual SSD controller. Alternatively, in cloud storage, a node may be, e.g., a computer with one or more drives.

The incoming messages are the data that users would like to store, and are free to take any value. An actual stored message, such as a movie, can be of various sizes, but from a coding point of view, what is important are the encoded chunks, sometimes called “stripes”. A stripe includes information symbols and parity symbols.

To achieve reliable storage, the host encodes the data before storing it. Then, if one or more storage nodes fails, the host has to restore (decode) the lost data. Note that whether or not the user wishes to read his/her stored data, the host may correct erasures as they are discovered, by, e.g., a scanning mechanism that constantly searches for failed nodes. In a typical case, the encoding process introduces enough redundancy to overcome more than a single failure. However, the most common case of failure is that of a single failure (erasure), for which embodiments of disclosure provide a low-bandwidth decoding algorithm as described below.

An approximate conceptual description of an exemplary system operation is as follows. Note that to keep this example concrete, it will consider a cloud storage setup, but there are also other potential scenarios, e.g., that of a flash array, i.e., a “super disk” constructed from several individual solid-state, drives, SSDs, typically placed on a rack.

Storage:

-   -   1. A user uploads a file, such as a movie, for cloud storage.     -   2. The cloud host stores the movie. For reliable storage, the         message is encoded by, e.g., an RS code. In typical systematic         encoding, the encoded message consists of the original message         +parity symbols. In actual practice, the (typically very large)         message is broken into smaller chunks, and each chunk is encoded         separately. For example, one cloud storage provider uses an RS         encoding taking 10 8-bit symbols of information to a codeword of         14 8-bit symbols, with 10 symbols of information+4 symbols of         parity in systematic encoding. So, the original message is         broken into chunks of 10 8-bit symbols, and each chunk is         encoded individually.     -   3. The host stores each RS symbol in a different individual         drive. For example, in the above (14,         example, the 14 coded symbols are stored in 14 different drives.         Maintenance:     -   1. Suppose that a failure is detected, either by some scanning         software that searches for failures, or because a user tried to         read the data and got a failure indication.     -   2. Continuing with the (14,         example, if up to 4 drives failed, the host restores the 4         missing symbols. For the restoring process, the host needs the         following data:         -   (i) if the number of failed drives is between 2 and 4, then             for restoring the missing data, 10 of the surviving nodes             have to transmit to the host their entire content.         -   (ii) If a single drive fails, then in one of the             applications of the current invention, each one of the 13             surviving drives has to transmit only ½ of its content to             the host.     -   3. The restored data may be, e.g., re-stored on different nodes,         or just sent to the user.

SUMMARY

According to an embodiment of the disclosure, there is provided a method for repairing a single erasure in an RS code over a finite field F₂ ^(mr) with an evaluation set V={u₀=0, u₁, . . . , u_(n−1)} that is a subspace of size n=2^(d), for d<mr and divisible by m, wherein a normalized repair bandwidth b≈(n−1)/m in and a number of information symbols is k<=2^(d)−2^(d−d/m), in a system of a plurality of n storage nodes and a controller, wherein a content c_(i) of each storage node i is an element of the finite field F₂ ^(mr) and each node stores a vector v whose entries are inverses of non-zero elements of the evaluation set V. The method includes identifying, by the controller, a failed storage node; transmitting, by the controller, an index j₀ of the failed storage node to each surviving storage node; multiplying, by each surviving storage node i, the content c_(i) of each said node i by a j-th component of vector w(i) wherein

$j = {{j\left( {i,j_{0}} \right)} = \left\{ {\begin{matrix} j_{0} & {{{if}\mspace{14mu} j_{0}} < i} \\ {j_{0} - 1} & {{{if}\mspace{14mu} j_{0}} > i} \end{matrix},} \right.}$ wherein w(i)_(j(i,j) ₀ ₎:=v_(j′) for all i∈{0, . . . , j₀−1, j₀+1, . . . , n} is a permutation of elements of vector v that correspond to the surviving storage nodes, wherein j′ is a unique index in {1, . . . , n−1} such that u_(j′)=u_(j) ₀ +u_(i); determining a trace map of a result out_(i) of said multiplication and converting, by each surviving storage, node, the result from an m×r bit representation into a reduced representation

_(i) of r bits; reconstructing, by the controller, content of the failed storage node from the reduced representation of each surviving node's content; and outputting the reconstructed content of the failed storage node.

According to a further embodiment of the disclosure, j′ is calculated by the controller, and transmitted to the surviving storage nodes.

According to a further embodiment of the disclosure, each surviving storage node calculates j′ based on an index of each surviving storage node and an index of the failed storage node.

According to a further embodiment of the disclosure, j′ is pre-calculated for each storage node.

According to a further embodiment of the disclosure, multiplying, by each surviving storage node i, the content c_(i) of each said node i by a j-th component of vector w(i) comprises calculating, by each node i, i≠j₀, wherein j₀ is the identifier of the failed node, out_(i):=Tr(w(i)_(j(i,j) ₀ ₎·c_(i))=Σ_(a=0) ^(m−1)(w(i)_(j(i,j) ₀ ₎·c_(i))² ^(ar) .

According to a further embodiment of the disclosure, convening the result from an m×r bit representation into a reduced representation of r bits comprises, when elements of field F₂ _(mr) are represented as length-m vectors in vector space (F₂ _(r) )^(m) according to a basis 1, α, . . . , α^(m−1) of F₂ _(mr) over F₂ _(r) , transmitting, by each node node i, i≠j₀, the first coordinate of out_(i) to the controller.

According to a further embodiment of the disclosure, converting the result from an m×r bit representation into a reduced representation of r bits comprises, when elements of field F₂ _(mr) are represented as length-mr vectors of bits in vector space F₂ ^(mr) according to a basis 1, α, . . . , α^(mr−1) of F₂ _(mr) over F₂, wherein α is a primitive element of field F₂ _(mr) , and transmitting, by each node i, i≠j₀, a product M·out_(i) to the controller, wherein matrix M∈F₂ ^(r×mr).

According to a further embodiment of the disclosure, matrix M∈F₂ ^(r×mr) is r rows of a matrix T∈F₂ ^(r×mr) with indices supporting an r×r identity matrix in TM₁, wherein M₁ ∈F₂ ^(mr×r) is a matrix whose j-th column, j=0, . . . , m−1 is a length-mr binary representation of β^(j) according to a basis {1, α, . . . , α^(mr−1)} of field E over field F₂, E:=F₂ _(mr) , and β is a primitive element of field F₂ _(r) =F.

According to a further embodiment of the disclosure, reconstructing content of the failed storage node from the reduced representation of each surviving node's content includes the steps of calculating t^(T)=(t₁, . . . , t_(m))^(T):=A′z^(T)∈(F′)^(m) using a matrix A′∈(F′)^(m×(n−1)), wherein F′:=F₂[X]/(P₁(X)), wherein p₁(X) is a minimal polynomial of β, wherein vector z:=(z₁, . . . , z_(n−1))∈(F′)^(n−1) wherein z_(a):=

_(i) for all a=1, . . . , n−1 and for i≠j₀ for which j′=a, wherein n is a total number of storage nodes and

_(i) is the reduced representation of surviving node i's content; wherein matrix A′ is a matrix obtained by replacing each entry a_(ij) of A by Ma_(ij) when a_(ij) is regarded as a column vector in F₂ ^(mr) according a basis {1, α, . . . , α^(mr−1)} of F₂ _(mr) over F₂, wherein matrix A∈F^(m×(n−1)) is a matrix with rows c₁, . . . , c_(m) that are m linearly independent vectors ∈F^(n−1) that complete a basis of C″ to be a basis of C′, wherein C′:={c∈F^(n−1)|H′c^(T)=0}, the F-subfield subcode of the code with parity-check matrix H′, and C″:={c∈F^(n−1)|H″c^(t)=0}, the F-subfield subcode of the code with parity-check matrix H″, wherein

${{H^{''} \in E^{k \times {({n - 1})}}}:=\begin{pmatrix} v \\ H^{\prime} \end{pmatrix}},{{H^{\prime} \in E^{{({k - 1})} \times {({n - 1})}}}:={G^{\prime} \cdot \begin{pmatrix} v_{1} & \; & \; \\ \; & \ddots & \; \\ \; & \; & v_{n - 1} \end{pmatrix}}},{{G^{\prime} \in E^{{({k - 1})} \times {({n - 1})}}}:=\begin{pmatrix} u_{1} & \ldots & u_{n - 1} \\ u_{1}^{2} & \ldots & u_{n - 1}^{2} \\ \vdots & \ddots & \vdots \\ u_{1}^{k - 1} & \ldots & u_{n - 1}^{k - 1} \end{pmatrix}},\left( {v_{l},\ldots\mspace{14mu},v_{n - l}} \right)$ are elements of vector v, and (u₁, . . . , u_(n−1)) are non-zero elements of evaluation set V, and wherein matrix M∈F₂ ^(r×mr) is r rows of a matrix T∈F₂ ^(mr×mr) with indices supporting an r×r is identity matrix in TM₁, wherein M₁∈F₂ ^(mr×r) is a matrix whose j-th column, j=0, . . . , m−1, is the length-mr binary representation of β^(j) according to the basis {1, α, . . . , α^(mr−1)} of E over F₂, wherein β is a primitive element of field F_(i) _(r) =F and α is a primitive element of field F₂ _(mr) ; embedding elements t∈(F′)^(m) in field E:=F₂ _(mr) to obtain a vector w∈F^(m); and restoring the content of the failed storage node by calculating y_(i)=Σ_(a=1) ^(m) w_(a)x_(a), wherein {x₁, . . . , x_(m)}⊂E form a dual basis for E over F with respect to a basis whose elements are entries of vector y=(y₁, . . . , y_(m))^(T):=Av^(T)∈E^(m).

According to a further embodiment of the disclosure, embedding elements of t∈(F′)^(m) in E to obtain a vector w∈F^(m) includes calculating w_(a):=M₁·t_(a) for a=1, . . . , m, wherein each coordinate t_(a) of t is represented as a length-r binary column vector according to the basis 1, β′, . . . , (β′)^(r−1) of F′ over F₂, and outputting w:=(w₁, . . . , w_(m)), wherein each entry of w is a vector representation of an element of E, according to the basis {1, α, . . . , α^(mr−1)}.

According to another embodiment of the disclosure, there is provided a non-transitory program storage device readable by a computer, tangibly embodying a program of instructions executed by the computer to perform the method steps for repairing a single erasure in an RS code over a finite field F₂ ^(mr) with an evaluation set V={u₀=0, u₁, . . . , u_(n−1)} that is a subspace of size n=2^(d), for d<mr and divisible by m, wherein a normalized repair bandwidth b≈(n−1)/m and a number of information symbols is k<=2^(d)−2^(d−d/m), in a system of a plurality of n storage nodes and a controller, wherein content c_(i) of each storage node i is an element of the finite field F₂ ^(mr) and each node stores a vector v whose entries are inverses of non-zero elements of the evaluation set V.

BRIEF DESCRIPTION OF THE DRAWINGS

FIGS. 1A-B is a flowchart of an offline part of an algorithm for repairing corrupted Reed-Solomon codes, according, to embodiments of the disclosure.

FIG. 2 is a flowchart of an online part of an algorithm for repairing corrupted Reed-Solomon codes according to embodiments of the disclosure.

FIG. 3 is a flowchart of a method for reconstructing an erased symbol from reduced-size data, according to an embodiment of the disclosure.

FIG. 4 is a block diagram of a system for repairing corrupted Reed-Solomon codes, according to an embodiment of the disclosure,

DETAILED DESCRIPTION OF EXEMPLARY EMBODIMENTS

Exemplary embodiments of the invention as described herein generally provide systems and methods for repairing corrupted Reed-Solomon codes. While embodiments are susceptible to various modifications and alternative forms, specific embodiments thereof are shown by way of example in the drawings and will herein be described in detail. It should be understood, however, that there is no intent to limit the invention to the particular forms disclosed, but on the contrary, the invention is to cover all modifications, equivalents, and alternatives falling within the spirit and scope of the invention. Herein, when two or more elements are described as being about the same as each other, such as A≈B, it is to be understood that the elements are identical to each other, indistinguishable from each other, or distinguishable from each other but functionally the same as each other as would be understood by a person having, ordinary skill in the art.

1. Overview

It was recently shown by V. Guruswami and M. Wootters, “Repairing Reed-Solomon. Codes”, arXiv:1509.04764v1, the contents of which are herein incorporated by reference in their entirety, hereinafter Guruswami, that if C is a Reed-Solomon code of length n:=q^(m) over

_(q) _(m) , where q is a prime power, and m∈

, and n−dim(C)≥n/q, then any erased coordinate in C can be repaired by “transmitting” only one

_(q)-element from each one of the non-erased coordinates. Embodiments of the disclosure consider such simple repair schemes:

_(q)-linear repair schemes in which repairing a single erased coordinate in an

_(q) _(m) -linear code requires transmitting at most one

_(q)-symbol from each non-erased coordinate.

According to embodiments, a necessary and sufficient condition for a code to have a simple repair scheme is provided. A condition according to an embodiment is closely related to the task of finding the dimension of subfield-subcodes. In the case where the code to be repaired is a Reed-Solomon code, a condition according to an embodiment is closely related to the task of calculating the dimension of alterant codes. As a first application of the condition, it is used to re-prove the above result of Guruswami.

According to embodiments, the case of Reed-Solomon codes over

₂ _(2r) with an evaluation set hat is an

₂-subspace of

₂ _(2r) is considered. Here, q=2^(r), while m=2. In this context, it is shown that for all even d≥4, if r≥d−1+log₂(d), then there exists a d-dimensional

₂-subspace U of

₂ _(2r) such that the

Reed-Solomon code defined on U has a simple repair scheme.

For the special case where d=4, it is shown that for all r≥2, there exists an appropriate

₂-subspace U⊆

₂ _(2r) such that the

Reed-Solomon code defined on U has a simple repair scheme. Shortening such a

code, a

shortened Reed-Solomon code is obtained that requires reading a total of only 52 bits for repairing any single erased coordinate. Note that in the best existing repairing scheme for the

Hadoop distributed file system (HDFS) code, repairing a single erased coordinate requires reading a total of 64 or 60 bits, depending on the erased coordinate, from the non-erased coordinates. In addition, the “Hitchhiker-nonXOR” code of Rashmi et al., “A ‘Hitchhiker's’ Guide to Fast and Efficient Data Reconstruction in Erasure coded Data Centers”, SIGCOMM'14, Aug. 17-22, 2014, Chicago, USA, the contents of which are herein incorporated by reference in their entirety, achieves the same saving in repair bandwidth as a code according to embodiments, but only for the 10 information coordinates, and at the cost of coupling pairs of bytes,

In addition to the above case of of Reed-Solomon codes over

₂ _(2r) , for which there is a proof that many subspaces result in a simple repair scheme for any r and even d, as long as the dimension k satisfies k≥2^(d)−2^(d/2), embodiments of the disclosure also consider the case of Reed-Solomon codes over

₂ _(mr) for m>2. For this case, there exist some concrete examples of subspaces U of dimension d divisible by m, such that for an RS code of dimension

$k \leq {2^{d} - 2^{d - \frac{d}{m}}}$ with evaluation set U, there is a simple

₂ _(r) -linear repair scheme. With such a scheme, when a single node fails, the surviving nodes need transmit only 1/m of their content to restore the failed node. 2. Preliminaries

Throughout this disclosure, q is a prime power and m∈

*. If F is a field and M∈F^(r×n), for r, n∈

8, then ker(M) represents the kernel of the map F^(n)→F^(r) defined by x

Mx. If F is a finite field, then for k, n∈

, an [n, k]_(F) code is an F-linear code of dimension k in F^(n).

2.1. The Trace Map

-   Definition 2.1: The trace map, Tr=     :     _(z) _(m) →     _(q), is defined by

$\begin{matrix} {{{{Tr}(x)}:={x + {\sigma(x)} + {\sigma^{2}(x)} + \ldots + {\sigma^{m - 1}(x)}}},} \\ {{= {x + x^{q} + x^{q^{2}} + \ldots + x^{q^{m - 1}}}},} \end{matrix}$ where τ:x

x^(q) is the Frobenius automorphism of

_(q) _(m) over

_(q). For x, Y∈

_(q) _(m) , the notation x·_(Tr)y:=Tr(xy) will be used. In addition, for x∈

_(q) _(m) and y=(y₀, . . . , y_(n−1))∈

_(q) _(m) ^(n) for some n∈

*, write x· _(Tr) y;=(x· _(Tr) y ₀ , . . . ,x· _(Tr) y _(n−1))∈

_(q) ^(n), and similarly for column vectors,

Since a polynomial of degree q^(m−1) cannot have q^(m) roots, the trace is not identically zero, and hence (x, y)

Tr(xy)=x·_(Tr)y is a non-degenerate symmetric

_(q)-bilinear form. As usual in this case of finite dimension, the map φ:x

(y

x·_(Tr)y) is an isomorphism of

_(q)-vector spaces between

_(q) _(m) and its dual space.

Let b₁, . . . , b_(m) be a basis of

_(q) _(m) over

_(q). The elements b′₁, . . . , b′_(m) that map under φ to the dual basis of b₁, . . . , b_(m) are referred to as the trace-dual basis of b₁, . . . , b_(m). By definition, b₁·_(Tr)b′_(j)=1_((i=j)), so that if x∈

_(q) _(m) is represented as x=Σ_(i) a_(i)b_(i) with a_(i)∈

_(q) for all i, then for all i, a_(i)=x·_(Tr)b′_(i).

-   Remark 2.2 Note that for all x,y,z∈     _(q) _(m) , (xy)·_(Tr)z=x·_(Tr)(yz).     2.2, Linear Repair Schemes

Linear repair schemes are defined in Guruswami, incorporated by reference above, as follows.

-   Definition 2.3 Let n∈     *, let C⊂     _(q) _(m) ^(n) be a linear code, and let i∈{0, . . . , n−1}. An     _(q)-linear repair scheme for coordinate i of C comprises:     -   1. For all j∈{0, . . . , n−1}\{i}, a set L_(j) of         _(q)-linear functionals         _(q) _(m) →         _(q);     -   2. An         _(q)-linear function ƒ:         _(q) ^(Σ) ^(j≠i) ^(|L) ^(j) ^(|)→         _(q) _(m) , such that for all (c₀, c₁, . . . , c_(n−1))∈C:

$c_{i} = {{f\left( \left\{ {\ell\left( c_{j} \right)} \right\}_{\underset{\ell \in L_{j}}{j \neq i}} \right)}.}$ The repair bandwidth b_(i) of the above repair scheme for coordinate i of C is defined as b_(i):=log₂(q)·Σ_(j≠i)|L_(j)|. This is the total number of bits that have to be read from the non-erased coordinates to restore the erased coordinate i. The normalized repair bandwidth b_(i) is the repair bandwidth divided by the number of bits stored in a single node.

If for all j≠i, |L_(j)|≤1, then the linear repair scheme for coordinate i is simple.

So, in a simple linear repair scheme for coordinate i, at most 1 sub-symbol, i.e., a symbol from the subfield

_(q), has to be read from each non-erased coordinate to restore coordinate i. Hence, the repair bandwidth is not larger than (n−1)log₂(q).

-   Remark 2.4 If a linear code C⊆     _(q) ^(n) has a transitive automorphism group, then the existence of     a simple     _(q)-linear repair scheme for some coordinate of C is equivalent to     the existence of a simple     _(q)-linear repair scheme for all coordinates. Recall that the     automorphism group of C is the set Aut(C) of all permutations τ of     {0, . . . , n−1} such that τ·C=C, where for c=(c₀, . . . ,     c_(n−1))∈C, the action of τ defined by τ·c=(c_(τ(0)), . . . ,     c_(τ(n−1))), the group operation on Aut(C) is composition. Aut(C) is     called transitive if for all i,j, there exists τ∈Aut(C) with τ(i)=j.     More generally, if there exists a linear repair scheme for some     coordinate i of C and C has a transitive automorphism group, then     the repair scheme can be permuted to become a linear repair scheme     for any coordinate i′. In detail, let τ be an automorphism of C with     τ(i)=i′. By re-labeling the coordinates, the task of restoring     coordinate i′ of (c₀, . . . , c_(n−1))∈C is transformed to the task     of restoring coordinate i of d:=(c_(τ(0)), . . . , c_(τ(i)), . . . ,     c_(τ(n−1))∈C. So, using the notation of Definition 2.3, to restore     coordinate i′, for all j≠i(⇔τ(j)≠τ(i)=i′), node τ(j) should use the     functionals from L_(j) to calculate the sub-packets it transmits. -   Remark 2.5 Suppose that a code C has a simple     _(q)-linear repair scheme for some coordinate i. Then the same holds     also for any subcode Consequently, if C has a simple repair scheme     for all coordinates, so does any code obtained by shortening C.     3. The Repairing Theorem

According to an embodiment of the disclosure, a necessary and sufficient condition for the existence of a simple

_(q)-linear repair scheme is presented. A result according to an embodiment of the disclosure is Theorem 3.2, which specifies a condition in terms of the dimensions of some sub field subcodes.

For a vector v, write diag(v) for the diagonal matrix with v on its main diagonal.

-   Lemma 3.1 For n∈     , let C⊆     _(q) _(m) ^(n) be a linear code of dimension k with the first     coordinate not identically zero, so that C has a generator matrix of     the form

$\begin{matrix} {G:={\begin{pmatrix} 1 & g_{01} & g_{02} & \ldots & g_{0,{n - 1}} \\ 0 & g_{11} & g_{12} & \ldots & g_{1,{n - 1}} \\ 0 & g_{21} & g_{22} & \ldots & g_{2,{n - 1}} \\ \vdots & \vdots & \vdots & \ddots & \vdots \\ 0 & g_{{k - 1},1} & g_{{k - 1},2} & \ldots & g_{{k - 1},{n - 1}} \end{pmatrix} = {:{\begin{pmatrix} 1 & g_{0} \\ 0^{T} & G^{\prime} \end{pmatrix}.}}}} & (1) \end{matrix}$ Then the code C has a simple

_(q)-linear repair scheme for the first coordinate if and only if the following condition holds:

-   Condition (*): There exists a vector v:=(v₁, . . . , v_(n−1))∈     _(q) _(m) ^(n−1) such that, writing C′⊆     _(q) ^(n−1) for the code with parity-check matrix H′:=G′diag(v),     where C′ is the     _(q)-subfield subcode of ker(H′), there exists an     _(q)-linear subcode D⊆C′ with     -   (1) dim(D)=m and     -   (2) D∩ker(g₀ diag(v))={0}. -   Proof: A general codeword of C has the form     c=(c ₀ ,c ₁ , . . . ,c _(n−1)):=(x ₀ ,x ₁ , . . . ,x _(k−1))G     for some x₀, . . . , x_(k−1)∈     _(q) _(m) . A task is to restore c₀=x₀ from the known c₁, . . . ,     c_(n−1). For all j∈{1, . . . , n−1}, there is

$c_{j} = {{g_{0j}x_{0}} + {\sum\limits_{i = 1}^{k - 1}{g_{ij}{x_{i}.}}}}$ A general

_(q)-linear functional of the form v_(j·Tr)(−), for some v_(i)∈

_(q) _(m) , can be applied to c_(j) while recalling Remark 2.2, to get v _(j)·_(Tr) c _(j)=(v _(j) g _(0j))·_(Tr) x ₀+Σ_(i=1) ^(k−1)(v _(j) g _(ij))·_(Tr) x _(i).  (2) Collecting EQS. (2) for all j∈(1, . . . , n−1): {v _(j)·_(Tr) c _(j)}_(j=1) ^(n−1) =x ₀·_(Tr) {v _(j) ^(g) _(0j)}_(j=1) ^(n=1)+Σ_(i=1) ^(k−1) x _(i)·_(Tr) {v _(j) g _(ij)}_(j=1) ^(n−1).  (3) Because

_(q) _(m) ≅

_(q) ^(m) as an

_(q)-vector space, the map ƒ of Definition 2.3 might as well have a codomain of

_(q) ^(m). So, let A∈∈_(q) ^(m×(n−1)), and consider the vector A{v _(j)·_(Tr) c _(j)}_(j=1) ^(n−1) =x ₀·_(Tr)(A{v _(j) g _(0j)}_(j=1) ^(n−1))+Σ_(i=1) ^(k−1) x _(i)·_(Tr)(A{v _(j) g _(ij)}_(j=1) ^(n−1)), where the equality follows from EQ. (3) and the

_(q)-bilinearity of (−)·_(Tr)(−), which implies that, for all i and all l:

$\begin{matrix} {\left( {A \cdot \left( {x_{i} \cdot_{Tr}\left\{ {v_{j}g_{ij}} \right\}_{j}} \right)} \right)_{\ell} = {{{row}_{\ell}(A)} \cdot \left( {x_{i} \cdot_{Tr}\left\{ {v_{j}g_{ij}} \right\}_{j}} \right)}} \\ {= {{x_{i} \cdot_{Tr}\left( {{{row}_{\ell}(A)} \cdot \left\{ {v_{j}g_{ij}} \right\}_{j}} \right)}({bilinearity})}} \\ {= {\left( {x_{i} \cdot_{Tr}\left( {A \cdot \left\{ {v_{j}g_{ij}} \right\}_{j}} \right)} \right)_{\ell}.}} \end{matrix}$

Because the x_(i) are arbitrary, a necessary condition for reconstruction is that

(i) ∀i∈{1, . . . , k−1}: A{v_(j)g_(ij)}_(j=1) ^(n−1)=0, and

(ii) The m elements of the vector A{v_(j)g_(0j)}_(j=1) ^(n−1)=A(g₀diag(v))^(T)∈

_(q) _(m) ^(m) are

_(q)-linearly independent, that is, these elements form a basis for

_(q) _(m) /

_(q).

But (i) and (ii) is clearly also a sufficient condition: given (i), then A{v _(j)·_(Tr) c _(j)}_(j=1) ^(n−1) =x ₀·_(Tr)(A{v _(j) g _(0j)}_(j=1) ^(n−1)), and given (ii), the elements of this vector are the coefficients in the description of x₀ as a linear combination of the elements of the dual of the basis in (ii). So, there exists a simple repair scheme for the first coordinate of C if there exist v and A such that conditions (i) and (ii) bold.

Note that condition (i) is equivalent to

${\begin{pmatrix} {v_{1}g_{11}} & {v_{2}g_{12}} & \ldots & {v_{n - 1}g_{1,{n - 1}}} \\ \vdots & \vdots & \ddots & \vdots \\ {v_{1}g_{{k - 1},1}} & {v_{2}g_{{k - 1},2}} & \ldots & {v_{n - 1}g_{{k - 1},{n - 1}}} \end{pmatrix}A^{T}} = 0.$ Recalling that H′:=G′ diag(v), it can be seen that condition (i) is equivalent to H′A^(T)=0.

To, complete the proof, it will be verified that condition (*) ⇔ there exists v and A such that conditions (i) and (ii) hold.

⇒:Suppose that condition (*) holds. Let the m rows of A be a basis of the code D. Then by the definition of D, it follows that H′A^(T)=0, so that condition (i) holds. For condition (ii), suppose that there exists a row vector t∈

_(q) ^(m) such that t(A(g₀diag(v))^(T))=0. Then A^(T)t^(T) is in D∩ker(g₀diag (v)), and hence must be the zero vector. Since the rows of A are independent, this implies that t is the zero vector, as required.

⇐: Suppose that there exist v and A such that conditions (i) and (ii) hold. Because of condition (ii), the rows of A must be

_(q)-linearly independent. Let D be the

_(q)-span of the rows of A. Then dim(D)=m. In addition, since by condition (i) H′A^(T)=0, it holds that D⊆C′. Finally, a vector in D is of the form tA for some row vector t∈

_(q) ^(m). If (tA)^(T)∉ker(g₀diag (v)), then (g ₀diag(v)A ^(T))t ^(T)=0. Because the elements of the vector g₀diag(v)A^(T)

_(q)-linearly independent by condition (ii), it can be seen that t is the zero vector, as required.

-   Theorem 3.2 The code C of of Lemma 3.1 has a simple     _(q)-linear repair scheme for the first coordinate if and only if     the following condition holds: -   Condition (**): There exists a vector v:=(v₁, . . . , v_(n−1)) ∈     _(q) _(m) ^(n−1) such that the following condition holds:

Writing C′⊆

_(q) ^(n−1) for the code with parity-check matrix H′:=G′diag(v) and C″⊆

_(q) ^(n−1) for the code with parity-check matrix

${H^{''}:={\begin{pmatrix} g_{0} \\ G^{\prime} \end{pmatrix}{diag}(v)}},$ it follows that dim(C″)≤dim(C′)−m, which is equivalent to dim(C″)=dim(C′)−m. Note that adding one line to a check matrix over

_(q) _(m) for a code over

_(q) can decrease the dimension by at most m.

-   Proof. It will be shown that Condition (**) of the theorem⇔Condition     (*) of Lemma 3.1.

⇒: Suppose that (**) holds. Then it is possible to choose c₁, . . . , c_(m)∈

_(q) ^(n−1) that complete a basis of C″ to a set of dim(C″)+m linearly independent elements in C′. Let D be the

_(q)-span of c₁, . . . , c_(m)). Then by construction D ⇔ C′, and dim(D))=m. Also,

$\begin{matrix} {{D\bigcap{\ker\left( {g_{0}{{diag}(v)}} \right)}} = {\left( {D\bigcap C^{\prime}} \right)\bigcap{{\ker\left( {g_{0}{{diag}(v)}} \right)}\left( {{sinceD} \Subset C^{\prime}} \right)}}} \\ {= {D\bigcap\left( {C^{\prime}\bigcap{\ker\left( {g_{0}{{diag}(v)}} \right)}} \right)}} \\ {= {D\bigcap C^{''}}} \\ {{= \left\{ 0 \right\}},} \end{matrix}$ where the last equality follows front the way the basis of D as constructed.

⇐: Suppose that Condition (*) holds. Then C′⊇(C′∩ker(g ₀diag(v)))⊕D. But C′∩ker(g₀diag(v)) is just C″, so that C′⊇C″⊕D. Since dim(D)=m by assumption, it follows that dim(C″)≤dim(C′)−m. 4. Reed-Solomon Codes of Length q^(m) over

_(q) _(m)

As a first example for an application of Theorem 3.2, Theorem 1 of Guruswami, incorporated above, will be re-proven. According to embodiments of the disclosure, from this to point on, a Reed-Solomon code of dimension k∈

over θ_(q) _(m) is the code obtained by evaluating polynomials of degree≤k−1 from

_(q) _(m) [X] on a subset comprising at least k points of

_(q) _(m) .

-   Theorem 4.1 (Theorem 1 of Guruswami): Write n:=q^(m), let k∈     be such that n−k≥n/q, that is, such that k≤q^(m)−q^(m−1). Then the     Reed-Solomon code of length n and dimension k over     _(q) _(m) has a simple     _(q)-linear repair scheme for any coordinate. -   Proof. First, since a linear repair scheme, for at code is     automatically also a linear repair scheme for any subcode, it     suffices to consider the case k=q^(m)−q^(m−1). Also, since the code     has a (doubly) transitive automorphism group, it suffices to     establish a simple linear repair scheme for the first coordinate     (see Remark 2.4, above).

Now, suppose that k=q^(m)−q^(m−1), and let α∈

_(q) _(m) be a primitive element. Then the following generator matrix for the Reed-Solomon code of dimension k and length q^(m) is already in the form of EQ. (1)

$\begin{matrix} {G:=\begin{pmatrix} 1 & 1 & 1 & 1 & \ldots & 1 \\ 0 & 1 & \alpha & \alpha^{2} & \ldots & \alpha^{n - 2} \\ 0 & 1 & \alpha^{2} & \left( \alpha^{2} \right)^{2} & \ldots & \left( \alpha^{n - 2} \right)^{2} \\ \vdots & \vdots & \vdots & \vdots & \ddots & \vdots \\ 0 & 1 & \alpha^{q^{m} - q^{m - 1} - 1} & \left( \alpha^{2} \right)^{q^{m} - q^{m - 1} - 1} & \ldots & \left( \alpha^{n - 2} \right)^{q^{m} - q^{m - 1} - 1} \end{pmatrix}} \\ {{= {:\begin{pmatrix} 1 & 1 \\ 0^{T} & G^{\prime} \end{pmatrix}}},} \end{matrix}$ where g₀=1, the all ones row vector of length q^(m)−1.

For j∈{1, . . . , q^(m)−1}, let v_(j):=α^(−(j−1)). Then H′=G′diag(v) is a check matrix of the cyclic code over

_(q) of length q^(m)−1 and zeros the elements of Z′:={1, α, . . . , α^(q) ^(m) ^(−q) ^(m−1) ⁻²} and their conjugates over

_(q), while

${H^{''} = {\begin{pmatrix} g_{0} \\ G^{\prime} \end{pmatrix}{{diag}(v)}}},$ is a check matrix of the cyclic code over

_(q) with zeros the elements of Z″:=Z′ ∪ {α⁻¹} and their conjugates.

By Theorem 3.2, it is sufficient to, show that Z′ does, not contain an element of the orbit of α⁻¹ under the action of Gal(

_(q) _(m) /

_(q))

σ

, and that the orbit of α⁻¹ has m elements. In this regard, recall that for a cyclic code C of length n′ with generator polynomial g, it follows that dim(C)=n′−deg(g). Translating to the language of cyclotomic cosets, it should he shown that, the cyclotomic cosets modulo q^(m)−1 the numbers in {0, 1, . . . , q^(m)−q^(m−1)−2} do not include the cyclotomic coset of (−1)≡q^(m)−2, and that this last cyclotomic coset has m elements.

According to embodiments of the disclosure, it will be convenient to represent numbers in {0, . . . , q^(m)−2} as their length-m base-q expansions. So, for i∈{0, . . . , q^(m)−2}, write [i]_(q)=(i_(m−1), i_(m=2), . . . , i₀) for its base-q expansion, so that i=Σ_(j=0) ^(m−1) i_(j)q^(j).

Now, [q ^(m)−2]_(q)=(q−1,q−1, . . . ,q−1,q−2).  (4) Since all m cyclic shifts of this vector are distinct, the cyclotomic coset of q^(m)−2 indeed has m elements.

Also, since q^(m)−q^(m−1)1=(q^(m)−1)−q^(m−1), then [q ^(m) −q ^(m−1)1]_(q)=(q−2,q−1, . . . ,q−1,q−1).  (5) It follows from EQS. (4) and (5) that q^(m)−q^(m−1)−1 is the smallest element in the cyclotomic coset of q^(m)−2. Hence this cyclotomic coset does not contain any number in {0, 1, . . . , q^(m)−q^(m−1)−2}. 5. Reed-Solomon Codes on

₂-Subspaces of

₂ _(2r)

According to embodiments, this section presents simple repair schemes for Reed-Solomon codes defined on an

₂-subspace of

_(q) ₂ , where q=2^(r). A result according to an embodiment is Theorem 5.11, which states that for all even dimension d and for all r≥d−1+log₂(d), there exists an

₂-subspace U⊆

₂ _(2r) with dim

₂ (U)=d, such that the [2^(d), 2^(d)−

Reed-Solomon code defined on U has a simple repair scheme. Moreover, the probability that a randomly selected subspace results in a simple repair scheme is 1−O(1/2^(r)).

In general, to check if Condition (**) holds, there is a need for an exact formula for the dimension of subfield subcodes, as lower bounds are insufficient. For this, some results from H. Stichtenoth, “On the dimension of Subfield Subcodes”, IEEE Trans. Inform. Theory, Vol. 36, No. 1, January 1990, the contents of which are herein incorporated by reference in their entirety, will be used, as follows. In what follows, let

σ

operate on vectors coordinate-wise.

-   Proposition 5.1 (Lemmas 1, 2 and Corollary 1 of Stiehtenoth): For q     a prime power and m∈     , let σ:x     x^(q) be the Frobenius automorphism of     _(q) _(m) /     _(q). For n′∈     , let D⊆     _(q) _(m) ^(n′) be a linear code. Write D⁰:=∩_(i=0) ^(m−1) σ^(l)(D)     and D^(Λ):=Σ_(i=0) ^(m−1) σ^(i)(D). Then     -   1. dim(         )=dim(D⁰)     -   2. (D⁰)^(⊥)=(D^(⊥))^(Λ)     -   3. dim(         )=N′−dim (D^(⊥))^(Λ)

It will be convenient to state explicitly a special case of Proposition 5.1.

-   Corollary 5.2 With the notation of Proposition 5.1, suppose that     m=2. Then

$\begin{matrix} {{\dim\left( \left. D \right|_{{\mathbb{F}}_{q}} \right)} = {n^{\prime} - {\dim\left( {D^{\bot} + {\sigma\left( D^{\bot} \right)}} \right)}}} & (6) \\ {\mspace{110mu}{= {n^{\prime} - {\left( {{2{\dim\left( D^{\bot} \right)}} - {\dim\left( {D^{\bot}\bigcap{\sigma\left( D^{\bot} \right)}} \right)}} \right).}}}} & (7) \end{matrix}$

Before considering Reed-Solomon codes defined on

₂-vector subspaces of

_(q) ₂ , need some additional background is needed.

-   Definition 5.3 Let K⊂L be finite fields. A K-linearized polynomial     over L is a polynomial of the form Σ_(i=0) ^(l) a_(i)X^(|K|) ^(l)     ∈L[X]. Note that such a polynomial defines a K-linear map L→L. -   Theorem 5.4 (Theorem 3.52 of R. Lidl and H. Niederreiter, Finite     Fields, Vol. 20 of Encyclopedia of Math. and its Applications, 2nd     Ed., CUP, 1997, p. 110) Let K⊂L be finite fields. Let U⊂L be a     K-linear subspace. Then Π_(x∈U) (X−x) is a K-linearized polynomial     over L.

From this point on, q is always a power of 2. Turn now to Reed-Solomon codes defined on

₂-vector subspaces of

_(q) ₂ . Note that these codes have a transitive automorphism group: For a subspace U and for y∈U, the map τ_(y):x

x+y permutes U, and is therefore an automorphism of the Reed-Solomon code defined on U, for the reason that the variable change X

X+y does not increase the degree of a polynomial.

Let U be an

₂-subspace of

_(q) ₂ , and set d:=dim(U). Let n:=|U|=2^(d), and let n′:=n−1 For l∈

, l≤n′−1, let C=C(U, l) be the Reed-Solomon code obtained by evaluating polynomials of degree≤l from

_(q) ₂ [X] on the points of U. Since C has a transitive automorphism group, it is sufficient to consider repairing schemes for the coordinate corresponding to 0∈U.

From this point on, according to embodiments, it will be assumed that the vector v of Theorem 3.2 is defined by v_(u):=1/u for all u∈U\{0}, assuming that coordinates are labeled by elements of U. With this choice of v, the rows of the matrix H′ of Theorem 3.2 can be considered as a basis for the space of polynomial functions U\{0}→

_(q) ₂ coming from polynomials of

_(q) ₂ [X] of degree≤l−1.

Let ƒ_(U)(X):=Π_(x∈U) (X−x). Then by Theorem 5.4, there are some a₀, . . . , a_(d−1)∈

_(q) ₂ such that ƒ_(U)(X)=X ² ^(d) +a _(d−1) X ² ^(d−1) + . . . +a ₀ X, and with a₀≠0 (since ƒ separable by definition). There is an isomorphism of

_(q) ₂ -algebras μ:

_(q) ₂ [X]/ƒ_(U) /X){tilde over (→)}{polynomial functions U\{0}→

_(q) ₂ } g+(ƒ_(U) /X)

(x

g(x)). For a polynomial g(X)∈

_(q) ₂ [X], write g for the image of g in

_(q) ₂ [X]/(ƒ_(U)/X).

Let D′⊆

_(q) ₂ ^(n−1) defined by D′:=ker(H′) for the matrix H′ of Theorem 3.2, recalling that the vector v is fixed and defined by v_(u):=1/u for all u∈U\{0}). Note that C′=D′|

_(q) . Then 1, X, . . . , X ^(l−1) is a basis for μ⁻¹(D′^(⊥)). Hence,

$\begin{matrix} {{\dim\left( {D^{\prime\bot}\bigcap{\sigma\left( D^{\prime\;\bot} \right)}} \right)} = {\dim\left( {\mu^{- 1}\left( {D^{\prime\;\bot}\bigcap{\sigma\left( {D^{\prime}}^{\bot} \right)}} \right)} \right)}} \\ {= {\dim\left( {{\mu^{- 1}\left( D^{\bot} \right)}\bigcap{\mu^{- 1}\left( {\sigma\left( D^{\prime\;\bot} \right)} \right)}} \right)}} \\ {= {{\dim\begin{pmatrix} {{{Span}_{{\mathbb{F}}_{q^{2}}}\left\{ {\overset{\_}{1},\overset{\_}{X},\ldots\mspace{14mu},{\overset{\_}{X}}^{\ell - 1}} \right\}}\bigcap} \\ {{Span}_{{\mathbb{F}}_{q^{2}}}\left\{ {\overset{\_}{1},{\overset{\_}{X}}^{q},\ldots\mspace{14mu},\left( {\overset{\_}{X}}^{q} \right)^{\ell - 1}} \right\}} \end{pmatrix}}.}} \end{matrix}$

Similarly, let D″⊆

_(q) ₂ ^(n−1) be defined by D″:=ker(H″) for the matrix H″ of Theorem 3.2 and for our fixed v. Then 1, X, . . . , X ^(l−1), X ⁻¹ span μ⁻¹(D″^(⊥)), (this is, in fact, a basis for μ⁻¹(D″^(⊥)): Since X ⁻¹=a₀ ⁻¹ X ² ^(d) ⁻²+a₀ ⁻¹ a_(d−1) X ² ^(d−1) ⁻²+ . . . +a₀ ⁻¹a₁ (see below), the assumption l−1<2^(d)−2 implies that X ⁻¹∉Spa

{1, X, . . . , X ^(l−1)}) and 1, X ^(q), . . . , (X ^(q))^(l−1), (X ⁻¹)^(q) span μ⁻¹(σ(D″^(⊥))).

Recalling that ƒ_(U)(X)/X=X² ^(d) ⁻¹+a_(d−1)X² ^(d) ⁻¹+ . . . +a₀ (where a₀≠0), then X ⁻¹ =a ₀ ⁻¹ X ² ^(d) ⁻² +a ₀ ⁻¹ a _(d−1) X ² ^(d−1) ⁻² + . . . +a ₀ ⁻¹ a ₁, and ( X ⁻¹)^(q) =a ₀ −q( X ^(q))² ^(d) ⁻² +a ₀ ^(−q) a _(d−1) ^(q)( X ^(q))² ^(d−1) ⁻² + . . . +a ₀ ^(−q) a ₁ ^(q). This implies the following lemma.

-   Lemma 5.5 with the above notation, if l−b≥2^(d−1)−2, then     Spa     {1, X, . . . ,X ^(L−1) ,X ⁻¹}=Spa     {1, X, . . . ,X ^(l−1) ,X ² ^(d) ⁻²},     and     Spa     {1, X ^(q), . . . ,( X ^(q))^(l−1),( X ⁻¹)^(q)}=Spa     {1, X ^(q), . . . ,( X ^(q))^(l−1),( X ^(q))² ^(d) ⁻²}. -   Proof. Clear. -   Definition 5.6. For j∈     , let wt₂(j) be the number of 1's in the binary expansion of j: If     j=Σ_(i=0) ^(r) a_(i)2^(i) with a_(i) ∈{0,1} for all i, then     wt₂(j):=Σ_(i=0) ^(r) a_(i). -   Lemma 5.7 For all j₁, j₂∈     , wt₂(j₁+j₂)≤wt₂(j₁)+wt₂(j₂). -   Proof. Suppose first that j₂=2^(s) for some s. Write j₁=Σ_(i=o) ^(r)     a_(i)2^(i), where     r:=max{└log₂(j ₁)┘,s}+1,     so that r>s and a_(r)=0. If a_(s)=0, then clearly     wt₂(j₁+j₂)=wt₂(j₁)+wt₂(j₂) Otherwise, let s′>s be the smallest such     that a_(s′)=0. The single 1 from the binary expansion of j₂     propagates as a carry, so that for all i∈{s, s+1, . . . , s′−1}, the     i-th digit of the binary expansion of j₁+j₂ is 0, the s′-th digit of     this binary expansion is 1, and all other digits of this expansion     are the same as those of the expansion of j₁. All in all, the total,     number of 1's is     wt₂(j₁)+1−(s′−s)wt₂(j₁)+wt₂(j₂)−(s′−s)<wt₂(j₁)+wt₂(j₂), as required.

For the general case, suppose that wt₂(j₂)≥2, and assume the assertion true for all j₂ with smaller weight (note that the case j₂=0 is obvious). Then, write j₂=j′₂+j″₂ with wt₂(j′₂)=1 and wt₂(j″₂)=wt₂(j₂)−1. Then

$\begin{matrix} {{{wt}_{2}\left( {j_{1} + j_{2}} \right)} = {{wt}_{2}\left( {\left( {j_{1} + j_{2}^{\prime}} \right) + j_{2}^{''}} \right)}} \\ {\leq {{{wt}_{2}\left( {j_{1} + j_{2}^{\prime}} \right)} + {{{wt}_{2}\left( j_{2}^{''} \right)}\left( {{induction}\mspace{14mu}{hypothesis}} \right)}}} \\ {\leq {{{wt}_{2}\left( j_{1} \right)} + {{wt}_{2}\left( j_{2}^{\prime} \right)} + {{{wt}_{2}\left( j_{2}^{''} \right)}\left( {{induction}\mspace{14mu}{basis}} \right)}}} \\ {{= {{{wt}_{2}\left( j_{1} \right)} + {{wt}_{2}\left( j_{2} \right)}}},} \end{matrix}$ as required.

-   Proposition 5.8 Using the terminology of the paragraphs receding EQ.     (8), for all d≥2, for all j∈     with wt₂(j)≤d−1, and for all s∈     .     ( X ² ^(s) )^(j)∈Spa     { X ^(i) |i∈{1, . . . ,2^(d)−2} and wt ₂(i)≤wt ₂(j)}.  (9) -   Remark it is clear that 1, X, . . . , X ² ^(d) ⁻² span     _(q) ₂ [X]/(ƒ_(U)/X), and for all i∈{0, . . . , 2^(d)−2},     wt₂(i)≤d−1. Hence the maximum weight of an exponent in a spanning     set is ≤d−1 even if wt₂(j)>d−1. Hover while not really necessary for     the rest of this disclosure, the condition wt₂(j)≤d−1 is required     for stating that 1 is not in the spanning set on the right-hand side     of EQ. (9). -   Proof of Proposition 5.8: First note that since wt₂(2^(s)j)=wt₂(j),     there is no loss of generality in assuming s=0. According to     embodiments, let s=0 and proceed b induction on wt₂(j). For the     basis, suppose that wt₂(j)=1, that is, that j=2^(r) for some r.     Hence, it should be shown that for all r,     X ² ^(r) ∈Spa     { X ^(i) |i∈{1, . . . ,2^(d)−2} and wt ₂(i)=1},     for which induction on r will be used. If r<d the assertion is     clear. Suppose, therefore, that r≥d and that there exist b₀, . . . ,     b_(d−1)∈     _(q) ₂ such that     X ² ^(r−1) =Σ_(u=0) ^(d−1) b _(u) X ² ^(u) .     Squaring this equation:     X ² ^(r) =Σ_(u=0) ^(d−2) b _(u) ² X ² ^(u+1) +b _(d−1) ² X ² ^(d) .     But since ƒ_(U)(X)=X² ^(d) +a_(d−1)X² ^(d−1) + . . . +a₀X, then X ²     ^(d) =a_(d−1) X ² ^(d−1) + . . . +a₀ X, as required. This     establishes the basis of the induction on wt₂(j).

For the induction step, suppose that wt₂(j)≤2 and the assertion is true for all j′ with wt₂(j′)<wt₂(i). Write j=2^(j) ¹ + . . . +2^(j) ^(w) for the binary expansion of j, where j₁< . . . <j_(w) and w=wt₂(j)≥2. Then, by the induction basis,

$\begin{matrix} \begin{matrix} {{\overset{\_}{X}}^{j} = {{\overset{\_}{X}}^{2^{j_{1}}}{\overset{\_}{X}}^{2^{j_{2}}}\mspace{14mu}\ldots\mspace{14mu}{\overset{\_}{X}}^{2^{j_{w}}}}} \\ {= {\left( {\sum\limits_{i_{1} = 0}^{d - 1}{\alpha_{i_{1}}^{(1)}{\overset{\_}{X}}^{2^{i_{1}}}}} \right)\left( {\sum\limits_{i_{2} = 0}^{d - 1}{\alpha_{i_{2}}^{(2)}{\overset{\_}{X}}^{2^{i_{2}}}}} \right)\mspace{14mu}\ldots\mspace{14mu}\left( {\sum\limits_{i_{w} = 0}^{d - 1}{\alpha_{i_{w\;}}^{(w)}{\overset{\_}{X}}^{2^{i_{w\;}}}}} \right)}} \end{matrix} & (10) \end{matrix}$ for some α₀ ⁽¹⁾, . . . , α_(d−1) ⁽¹⁾, . . . , α₀ ^((w)), . . . , α₀ ^((w))∈

_(q) ₂ . Hence, X ^(j) is a linear combination of elements the form

$\begin{matrix} {{\overset{\_}{X}}^{{2^{i}1} + \ldots + 2^{i_{w}}}.} & (11) \end{matrix}$ Two cases can be distinguished as follows, Case I. If there are some l₁, l₂ such that i_(l) ₁ =_(l) ₂ , then

2^(i_(ℓ₁)) + 2^(i_(ℓ₂)) = 2^(i_(ℓ₁) + 1), so that

$\begin{matrix} {{\overset{\_}{X}}^{{2^{i}1} + \ldots + 2^{i_{w}}} = {{\overset{\_}{X}}^{2^{i_{\ell_{1}} + 1}} \cdot {{\overset{\_}{X}}^{\sum\limits_{{r \neq \ell_{1}},\ell_{2}}\; 2^{i_{r}}}.}}} & (12) \end{matrix}$ By Lemma 5.7, wt₂(Σ_(r≠l) ₁ _(,l) ₂ 2^(i) ^(r) )≤w−2=wt₂(j)−2, so that it follows from the induction hypothesis and EQ. (12) that

${\overset{\_}{X}}^{2^{i_{1}} + \ldots + 2^{i_{w}}} = {\left( {\sum\limits_{i = 0}^{d - 1}{\beta_{i}{\overset{\_}{X}}^{2^{i}}}} \right) \cdot \left( {\sum_{\underset{{{wt}_{2}{(k)}} \leq {{{wt}_{2}{(j)}} - 2}}{k \in {\{{1,\ldots\mspace{14mu},{2^{d} - 2}}\}}}}{\gamma_{k}{\overset{\_}{X}}^{k}}} \right)}$ for some coefficients {β_(i)}, {γ_(k)}. This last expression is itself an

_(q) ₂ -linear combination of elements of the form X ² ^(i) ^(+k) with wt₂(2^(i)+k)≤1+wt₂(k)≤wt₂(j)−1, by lemma 5.7. Using the induction hypothesis again, the desired result is obtained. Case 2. All the i_(l) are distinct. Since by assumption w=wt₂(j)≤d−1 and wt₂(2^(d)−1)=d, 2^(i) ¹ + . . . +2^(i) ^(w) ≤2^(d)−2. Also, in this case wt₂(2^(i) ¹ + . . . +2^(i) ^(w) )=w, so that EQ. (11) is already in the desired form.

-   Proposition 5.9 Maintaining the above notation, for all g∈     _(q) ₂ [X], g ^(q)=0 iff g=0). Also, if g ₁, . . . , g _(r)∈     _(q) ₂ [/x]/(ƒ_(u)X) are     _(q) ₂ linearly independent, then so are g₁ ^(q), . . . , g _(r)     ^(q). -   Proof: For the first assertion, note that

${{\overset{\_}{g}}^{q} = \left. \left. 0\Leftrightarrow\frac{f_{U}}{X} \right. \middle| \left. g^{q}\Leftrightarrow\frac{f_{U}}{X} \right. \middle| g \right.},$ where the rightmost implication holds because ƒ_(U), and hence also

$\frac{f_{U}}{X},$ is separable. Hence g ^(q)=0⇔g=0, as required.

For the second assertion, suppose that Σ_(i=1) ^(r) α_(i) g _(i) ^(q)=0 for some α₁, . . . , α_(r)∈

_(q) ₂ . Then (Σ_(i=1) ^(r)σ⁻¹(α_(i)) g _(i))^(q)=0, so that Σ_(i=l) ^(r)σ⁻¹(α_(i))g _(i)=0 by the first part. Since the g _(i) are linearly independent, then σ⁻¹(α_(i))=0 for all i, and hence also α_(i)=0 for all i.

-   Proposition 5.10 Using the terminology of the paragraphs preceding     EQ. (8). Suppose that the dimension of the     ₂-subspace U of     _(q) ₂ is d, so that the Reed-Solomon code C defined on U is a     code. Suppose that the vector v of Theorem 3.2 is given by v_(u)=1/u     for all u∈U\{0}. Suppose also that

${\ell \leq \ell_{0}}:=\left\{ \begin{matrix} {2^{d} - 2^{d/2} - 1} & {{if}\mspace{14mu} d\mspace{14mu}{is}\mspace{14mu}{even}} \\ {d^{2} - d^{{({d + 1})}/2} - 1} & {{if}\mspace{14mu} d\mspace{14mu}{is}\mspace{14mu}{{odd}.}} \end{matrix} \right.$ Then for C′ of Theorem 3.2, dim(C′)≥2. Remarks:

1. Informally, this proposition states that “half” of Condition (**) is satisfied for any subspace of dimension d if l≤l₀. Note that l₀ depends on d, but not on q. For example, for even d and for all q with q²≥2^(d), the proposition shows that half of Condition (**) is satisfied for codes of length n=2 and dimension up to n−√{square root over (n)} in

_(q) ₂ ^(n). In the sequel, it will be shown that for r large enough, “all” of condition (**) is satisfied for some [2^(d), 2^(d)−

Reed-Solomon codes.

2. Note that for odd d, the codimension is the same as that for d+1. Hence, the parameters of an odd d can be achieved by shortening a code designed for the even dimension d+1. Therefore, apart from the current proposition, only even d will be considered.

3. Note that for a choice according to an embodiment of v, there do exist some subspaces U⊆

_(q) ₂ with dim(U)=d for which Condition (**) does not bold. For example, if d=q, then Condition (**) does not hold for U=

_(q)⊂

_(q) ₂ , since a single additional row with entries front

_(q) in the check matrix cannot decrease the

_(q)-dimension by more than 1. Similarly, the condition does not hold for subspaces of the form z·

_(q) for z∈

_(q) ₂ *.

-   Proof of Proposition 5.10: Recall that D′⊆     _(q) ₂ is the code with parity-check matrix H′, so that C′=D′|     _(q) . By EQ. (7) of Corollary 5.2,

$\begin{matrix} \begin{matrix} {{\dim\left( C^{\prime} \right)} = {2^{d} - 1 - {2{\dim\left( D^{\prime\bot} \right)}} + {\dim\left( {D^{\prime\bot}\bigcap{\sigma\left( D^{\prime\bot} \right)}} \right)}}} \\ {{= {{\dim\left( {D^{\prime\bot}\bigcap{\sigma\left( D^{\prime\bot} \right)}} \right)} + 2^{d} - 1 - {2\ell}}},} \end{matrix} & (13) \end{matrix}$ where dim(D′^(⊥))=l has been used, and recalling that that 1, X, . . . , X ^(l−1) is a basis for μ⁻¹(D′^(⊥)). Hence, to prove the assertion, it is sufficient to prove that dim(D′ ^(⊥)∩σ(D′ ^(⊥)))≥2l+3−2^(d). In view of EQ. (8), it should be shown that dim(Spa

{1 ,X, . . . ,X ^(l=1)}∩Spa

{1, X ^(q), . . . ,( X ^(q))^(l−1)})≥2l+3−2^(d).  (14) In other words, it should be shown that Spa

{1, X ^(q), . . . ,( X ^(q))^(l−1)}  (15) contains 2l+3−2^(d) independent elements that can be written as linear combinations of 1, X, . . . , X ^(l−1). Note first that 1, X ^(q), . . . , (X ^(q))^(l−1) are

_(q) ₂ -linearly independent, because 1, X, . . . , X ^(l−1) are linearly dependent and, by Proposition 5.9, the map g

g ^(q) preservers this property.

Write A:=|{i∈{0, . . . ,l−1}|wt ₂(i)>wt ₂(l−1)}| and B:=|{i∈{l, . . . ,2^(d)−2}|wt ₂(i)≤wt ₃(l−1)}|. It follows from Proposition 5.8 that for each of the l−A values of i in {0, . . . , l−1} with wt₂(i)≤wt₂(l−1), (X ^(q))^(i) a linear combination of classes X ^(j) with wt₂(j)≤wt₂(l−1). Each such linear combination involves at most B classes X ^(j) with j≥l. Hence, up to B of the l−A elements (X ^(q))^(i) can be used to cancel all classes X ^(j) with j≥l in the remaining l−A−B elements. This can be done by choosing elements (X ^(q))^(i) whose projections to the coordinates X ^(j) with j≥l and wt₂(j)≤wt₂(l−1) form a basis to the projection of all l−A elements (X ^(q))^(i) to the same coordinates. Since the projection is to B coordinates, the number of elements in this basis is at most B. This results in at least l−A−B linearly independent elements in the intersection appearing in (14). Hence, if l−A−B≥2l+3−2^(d), then EQ. (14) is satisfied and dim(C′)≥2. In Appendix A it is shown that for l=l₀, it indeed holds that 2^(d)3−l≥A+B. So, for l=l₀, then dim(C′)≥2, and consequently the same holds for all l≤l₀.

Theorem 5.11 Let d≥4 be even. Suppose that q=2^(r) and that d elements x₀, . . . , x_(d−1) are drawn uniformly and independently from

_(q) ₂ *. Let U:=Span

₂ {x₀, . . . , x_(d−1)}. Suppose that l=l₀=2^(d)−2^(d/2)−1, so that if dim(U)=d, then the Reed-Solomon code C defined on U is a [2^(d), 2^(d)−

code. Suppose that the vector v, is given by v_(u)=1/u for all u∈U\{0}. Then the probability that both dim(U)=d and Condition (**) holds is at least

${1 - \frac{{\left( {1 + {\frac{d}{2}\left( {q - 1} \right)}} \right)\left( {2^{d} - 1} \right)} - d}{q^{2} - 1}},$

and is positive for r≥d−1+log₂(d).

-   Remark 5.12

1. The case of r=d/2 is a special case of Theorem 4.1, above.

2. Some examples (see below) seem to suggest that the result should hold for all r≥d/2, and that the probability of drawing a “good” subspace U is much higher than in the theorem.

3. For d=4, the theorem proves the existence of a good subspace for all r≥5, and Theorem 4.1 covers the case r=2. Since the two remaining cases of r=3, 4 are considered in the examples below, it can be seen that for d=4, a good subspace exists for all r≥d/2.

Before proving the theorem, some auxiliary results are needed.

-   Proposition 5.13 Using the terminology of Proposition 5.10 and     continue to assume that the vector v is given by v_(u)=1/u for all     u∈U\{0}. Suppose that l−1≥2^(d−1)−2, which holds for l=l₀ if d≥2.     Then Condition (**) for the [2^(d), l+     Reed-Solomon code defined on U is equivalent to the following     condition: For all β₁, β₂∈     _(q) ₂ ,     β₁ X ² ^(d) ⁻²+β₂( X ^(q))² ² ⁻²∈Spa     {1, X, . . . ,X ^(l−1) ,X ^(q),( X ^(q))², . . . ,( X     ^(q))^(l−1)}⇒β₁β₂=0.     or, equivalently, to     X ² ^(d) ⁻²∉Spa     {1, X, . . . ,X ^(l−1) ,X ^(q),( X ^(q))², . . . ,( X     ^(q))^(l−1)}  (16)     and     ( X ^(q))² ^(d) ⁻²∉Spa     {1, X, . . . ,X ^(l−1) ,X ^(q),( X ^(q))², . . . ,( X ^(q))^(l−1) ,X     ² ^(d) ⁻²}.  (17) -   Proof. By EQ. (6) of Corrolary 5.2,

$\begin{matrix} {{{\dim\left( C^{\prime} \right)} - {\dim\left( C^{''} \right)}} = {{\dim\left( {D^{\prime}❘_{{\mathbb{F}}_{q}}} \right)} - {\dim\left( {D^{''}❘_{{\mathbb{F}}_{q}}} \right)}}} \\ {= {{\dim\left( {D^{''\bot} + {\sigma\left( D^{''\bot} \right)}} \right)} - {\dim\left( {D^{\prime\bot} + {\sigma\left( D^{\prime\bot} \right)}} \right)}}} \end{matrix}$ Since D″^(⊥)D′^(⊥)+Spa

{v}, then D″ ^(⊥)+σ(D″ ^(⊥))=D′ ^(⊥)+σ(D′ ^(⊥))+Spa

{v,σ(v)}. Hence Condition (**) holds iff for β₁, β₂ ∈

_(q) ₂ , β₁ v+β ₂σ(v)∈D′⊥+σ(D′ ^(⊥))⇒β₁=β₂=0. Applying the isomorphism μ⁻¹, it can be seen that Condition (**) holds iff for β₁, β₂∈

_(q) ₂ , β₁ X ⁻¹+β₂( X ⁻¹)^(q)∈Spa

{1, X, . . . ,X ^(l−1) ,X ^(q),( X ^(q))², . . . ,( X ^(q))^(l−1)}⇒β₁=β₂=0. which, from Lemma 5.5, is equivalent to β₁ X ² ^(d) ⁻²+β₂( X ^(q))² ^(d) ⁻²∈Spa

{1, X, . . . ,X ^(l−1) ,X ^(q),( X ^(q))², . . . ,( X ^(q))^(l−1)}⇒β₁=β₂=0. This concludes the proof

-   Definition 5.14 (The numbers i_(j)) Recall that that d is assumed     even, and note that the numbers i∈{0, . . . , 2^(d)−2) with     wt₂(i)=d−1 are those numbers i of the form 2^(d)−1−2^(j) with j∈{0,     . . . , d−1}. Hence, there are d such numbers, and d/2−1 of them are     <l₀=2^(d)−2^(d/2)−1, namely, those with j∈{d/2+1, . . . , d−1}. For     j in the above range, write i_(j):=2^(d)−1−2^(d−1−j), so that     2^(d−1)−1=i ₀ <i ₁ < . . . <i _(d−1)2^(d)−2     are all the numbers i∈{0, . . . , 2^(d)−2} with wt₂(i)=d−1, and i₀,     . . . , i_(d/2−2) are all the numbers i∈{0, . . . , l₀−1} with     wt₂(i)=d−1. -   Definition 5.15: (The matrices M_(r) {tilde over (M)}_(r)) for r≥0     and for i, j∈{0, . . . , 2^(d)−2}, define coefficients α_(i,j)     ^((r))∈     _(q) ₂ by setting (X ² ^(r) )^(i)=Σ_(j=0) ² ^(d) ⁻² α_(i,j) ^((r)) X     ^(j). Define a matrix M_(r)∈     _(q) ₂ ^(d×d/2) as follows:

Note that each column of M_(r) includes some of the coefficients corresponding to (X ² ^(r) )^(i) for some i with i=2^(d)−2 or i<l₀ and wt₂(i)=d−1, and the coefficients appearing in each column correspond to all basis elements X ^(j) with wt₂(j)=d−1.

Define also a matrix {tilde over (M)}_(r)∈

_(q) ₂ ^(d/2×d/2) by letting {tilde over (M)}_(r) include the last d/2 rows of M_(r), the part below the horizontal line in EQ. (18)).

-   Proposition 5.16: Using the terminology of Proposition 5.13, if     det({tilde over (M)}_(r))≠0 for r=log₂(q), then Condition (**) holds     for l=l₀, and hence for all l≤l₀. -   Proof. Observe that the conditions of EQS. (16) and (17 can be     written as follows:

(i) X ² ^(d) ⁻² is not in the

_(q) ₂ -span of the projections of X ^(q), (X ^(q))², . . . , (X ^(q))^(l) ⁰ ⁻¹ to coordinates X ^(l) ⁰ , X ^(l) ⁰ ⁺¹, . . . , X ² ^(d) ⁻², and

(ii) to the projection of (X ^(q))² ^(d) ⁻² to coordinates X ^(l) ⁰ , X ^(l) ⁰ ⁺¹, . . . , X ² ^(d) ⁻³ is not in the

_(q) ₂ -span of the projections of X ^(q), (X ^(q))², . . . , (X ^(q))^(l) ⁰ ⁻¹ to the same coordinates.

Consider (i) above. By Proposition 5.8, if X ² ^(d) ⁻² appears in a sum of the form Σ_(i=1) ^(l) ⁰ ⁻¹ β_(i)(X ^(q))^(i), then at least one β_(i) with wt₂(i)=d−1 must be non-zero. In addition, by the same proposition, only elements of the form (X ^(q))^(i) with wt₂(i)=d−1 may contribute to the projection to coordinates X ^(j) for j∈{l₀, . . . , 2^(d)−3} with wt₂(j)=d−1. Hence, if the projections of (X ^(q))^(i) for i∈{1, . . . , l₀−1} with wt₂(i)=d−1 to the above coordinates are

_(q) ₂ -linearly independent then (i) must hold in other words, linear independence of the last d/2−1 columns of {tilde over (M)}_(r) is sufficient for (i).

Similarly, by Proposition 5.8 if the projection of (X ^(q))² ^(d) ⁻² to the coordinates X ^(j) for j∈{l₀, . . . , 2^(d)−3} with wt₂(j)=d−1 is not in the span of the projections of (X ^(q))^(i) for i∈{1, . . . , l₀−1} with wt₂(i)=d−1 to the same coordinates, then (ii) must hold, since by Proposition 5.8, since only coordinates j with wt₂(j)=d−1 are being considered, only i's with wt₂(i)=d−1 need be taken into account. For the other i's, (X ^(q))^(i) has zero projection to the above coordinates, by the proposition. This shows that if det({tilde over (M)}_(r))≠0, then both (i) and (ii) hold, as required.

To continue, parametrize the problem. Instead of working in

_(q) ₂ [X], work in

₂[X, T₀, . . . , T_(d−1)] for free variables T₀, . . . , T_(d−1). For this, let T:=(T₀, . . . , T_(d−1)) be a vector of free variables over

₂[X], and let ƒ(X, T)∈

₂[X, T] be defined by ƒ(X,T):=X ² ^(d) +T _(d−1) X ² ^(d−1) +T _(d−2) X ² ^(d−2) + . . . +T ₁ X ² +T ₀ X. Re-define (g

g) to be the canonical homomorphism

₂[X, T]→

₂[X, T]/(ƒ/X). Since

₂[T]⊆

₂[X, T]→

₂[X, T]/(ƒ/X) is an injection, which follows from deg_(X)(uv)=deg_(X)(u)+deg_(X)(v),

₂[T] can be thought of as a subring of

₂[X, T]/(ƒ/X). In addition,

₂[X, T]/(ƒ/X) is a free

₂[T]-module with basis 1, X, . . . , X ² ^(d) ⁻². Note that 1, X, . . . , X ² ^(d) ⁻² do generate

₂[X, T]/(ƒ/X) as an

₂[T]-module, since the coefficient of X² ^(d) ⁻¹ in ƒ/X is a unit.

The idea is that for any finite dimensional

₂-subspace U of any extension field K of

₂ (e.g., K=

_(q) ₂ ) the coefficients of ƒ_(U) can be substituted for the T_(i).

-   Definition 5.17: (The matrices     _(r) and     _(r)). For integer r, define matrices     _(r)∈     ₂[T]^(d×d/2) and     _(r)∈     ₂[T]^(d/2×d/2) as follows. The matrix     _(r) is defined as the right-band side of EQ. (18), where now     α_(i,j) ^((r))∈     ₂[T] are the unique polynomials in (X ² ^(r) )^(i)=Σ_(j=0) ² ^(d) ⁻²     α_(i,j) ^((r))(T)X ^(j). The matrix     _(r) is defined as the last d/2 rows of     _(r). Note that by Lemma B.1, if for an     ₂-subspace U∈     _(q) ₂ , a₀, . . . , a_(d−1)∈     _(q) ₂ are such that ƒ_(U)(X)=X² ^(d) +a_(d−1)X² ^(d−1) + . . .     +a₀X, then M_(r)=     _(r)(a₀, . . . , a_(d−1)) and {tilde over (M)}_(r)=     _(r)(a₀, . . . , a_(d−1)). Consequently, det({tilde over     (M)}_(r))=(det(     _(r))) (a₀, . . . , a_(d−1)).

Next, it will be shown that for r≥d/2, det(

_(r)) is not the zero polynomial in

₂[T]. To this end, begin with the following lemma.

-   Lemma 5.18: (Update Lemma) Write

${A(T)}:={\begin{pmatrix} T_{1} & 1 & T_{d - 1} & T_{d - 2} & \ldots & T_{3} & T_{2} \\ 0 & 0 & T_{0} & 0 & \ldots & 0 & 0 \\ 0 & 0 & 0 & T_{0} & \ldots & 0 & 0 \\ \vdots & \vdots & \vdots & \vdots & \vdots & \vdots & \vdots \\ 0 & 0 & 0 & 0 & \ldots & T_{0} & 0 \\ 0 & 0 & 0 & 0 & \ldots & 0 & T_{0} \\ T_{0} & 0 & 0 & 0 & \ldots & 0 & 0 \end{pmatrix} \in {{\mathbb{F}}_{2}\lbrack y\rbrack}^{d \times d}}$ For all i and r, and for the i_(j)'s of Definition 5.14, the α_(i,j) ^((r))=α_(i,j) ^((r))(T) of Definition 5.17 satisfy

$\begin{matrix} {\begin{pmatrix} \alpha_{i,{2^{d} - 2}}^{({r + 1})} \\ \alpha_{i,i_{0}}^{({r + 1})} \\ \alpha_{i,i_{1}}^{({r + 1})} \\ \vdots \\ \alpha_{i,i_{d - 2}}^{({r + 1})} \end{pmatrix} = {{A\begin{pmatrix} \left( \alpha_{i,{2^{d} - 2}}^{(r)} \right)^{2} \\ \left( \alpha_{i,i_{0}}^{(r)} \right)^{2} \\ \left( \alpha_{i,i_{1}}^{(r)} \right)^{2} \\ \vdots \\ \left( \alpha_{i,i_{d - 2}}^{(r)} \right)^{2} \end{pmatrix}}.}} & (19) \end{matrix}$

-   Proof: It holds that

$\begin{matrix} {\left( {\overset{\_}{X}}^{2^{r + 1}} \right)^{i} = \left( \left( {\overset{\_}{X}}^{2^{T}} \right)^{i} \right)^{2}} \\ {= \left( {\sum\limits_{f = 0}^{2^{d} - 2}{{\alpha_{i,j}^{(r)}(T)}{\overset{\_}{X}}^{j}}} \right)^{2}} \\ {= {\underset{\underset{= {:S_{1}}}{︸}}{\sum\limits_{j = 0}^{2^{d - 1} - 1}{{\alpha_{i,j}^{(r)}(T)}^{2}{\overset{\_}{X}}^{2j}}} + {\underset{\underset{= {:S_{2}}}{︸}}{\sum\limits_{j = 2^{d - 1}}^{2^{d} - 2}{{\alpha_{i,j}^{(r)}(T)}^{2}{\overset{\_}{X}}^{2j}}}.}}} \end{matrix}$ From Proposition 5.8, only j's with wt₂(j)=d−1 can contribute to α_(i,k) ^((r+1)) for k With wt₂(k)=d−1. In the sum S₁, there is only such j, namely 2^(d−1)−1. In the sum S₂, the relevant j's are those of the form j=2^(d)−1−2^(j′) for j′∈{0, 1, . . . , d−2}, from Definition 5.14, Hence, the partial sum S ₃:=(α_(i,2) _(d−1) ⁻¹ ^((r)))² X ² ^(d) ⁻²+Σ_(j=0) ^(d−2)(α_(i,2) _(d) ⁻¹⁻² _(j) ^((r)))² X ² ^(d+1) ⁻²⁻² ^(j+1) includes all contributions to the α_(i,k) ^((r+1)) for k with wt₂(k)=d−1.

Now

$\begin{matrix} {{\overset{\_}{X}}^{2^{d + 1} - 2 - 2^{j + 1}} = {{\overset{\_}{X}}^{2^{d}} \cdot {\overset{\_}{X}}^{2^{d} - 2 - 2^{j + 1}}}} \\ {= {\left( {\sum\limits_{\ell = 0}^{d - 1}{T_{\ell}{\overset{\_}{X}}^{2^{\ell}}}} \right){\overset{\_}{X}}^{2^{d} - 2 - 2^{j + 1}}}} \\ {= {\sum\limits_{\ell = 0}^{d - 1}{T_{l}{{\overset{\_}{X}}^{2^{\ell} + 2^{d} - 2 - 2^{j + 1}}.}}}} \end{matrix}$ Substitute is S₃ to get S ₃:=(α_(i,2) _(d−1) ⁻¹ ^((r)))² X ² ^(d) ⁻²+Σ_(j=0) ^(d−2)(α_(i,2) _(d) ⁻¹⁻² _(j) ^((r)))²Σ_(l=0) ^(d−1) T _(l) X ² ^(l) ⁺² ^(d) ⁻²⁻² ^(j+1) . Once again, only those exponents with wt₂(·)=d−1 can contribute to α_(i,k) ^((r+1)) for k with wt₂(k)=d−1 and should be kept. For j+1∈{1, . . . , d−1}, the binary representation of 2^(d)−2−2^(j+1)=(2^(d)−1)−1−2^(j+1) has exactly two zeros (the coefficients of 2⁰ and 2^(j+1)), and so wt₂(2^(l)+2^(d)−2−2^(j+1))=d−1 iff l∈{0,j+1}. It follows that all contributions to the α_(i,k) ^((r+1)) for k with wt₂(k)=d−1 appear in

${{\left( \alpha_{i,{2^{d - 1} - 1}}^{(r)} \right)^{2}{\overset{\_}{X}}^{2^{d} - 2}} + {\sum\limits_{j = 0}^{d - 2}{\left( \alpha_{i,{2^{d} - 1 - 2^{j}}}^{(r)} \right)^{2}\left( {{T_{0}{\overset{\_}{X}}^{2^{d} - 1 - 2^{j + 1}}} + {T_{j + 1}{\overset{\_}{X}}^{2^{d} - 2}}} \right)}}} = {{{\overset{\_}{X}}^{2^{d} - 2}\left( {\left( \alpha_{i,{2^{d - 1} - 1}}^{(r)} \right)^{2} + {\sum\limits_{j = 0}^{d - 2}{\left( \alpha_{i,{2^{d} - 1 - 2^{j}}}^{(r)} \right)^{2}T_{j + 1}}}} \right)} + {\sum\limits_{j = 0}^{d - 2}{{T_{0}\left( \alpha_{i,{2^{d} - 1 - 2^{j}}}^{(r)} \right)}^{2}{{\overset{\_}{X}}^{2^{d} - 1 - 2^{j + 1}}.}}}}$ Recalling that 2^(d)−1−2^(j)=i_(d−1−j) and using a variable change j↔d−1−j in the last sum, the above expression reads X ² ^(d) ⁻²((α_(i,i) ₀ ^((r)))²+Σ_(j=0) ^(d−2)(α_(i,i) _(d−1−j) ^((r)))² T _(j+1))+Σ_(j=1) ^(d−1) T ₀(α_(i,i) _(j) ^((r)))² X ^(i) ^(j−1) . This concludes the proof.

-   Definition 5.19: (The Matrices A_(i) and ₂A). For the matrix A of     Lemma 5.18, let A₁∈     ₂[T]^(d×d/2) include the first d/2 columns of A, and let ₂A∈     ₂[T]^(d/2×d) include the last d/2 rows of A. Explicitly,

${A_{1} = {\begin{pmatrix} T_{1} & 1 & T_{d - 1} & T_{d - 2} & T_{d - 3} & \ldots & T_{{d/2} + 2} \\ 0 & 0 & T_{0} & 0 & 0 & \ldots & 0 \\ 0 & 0 & 0 & T_{0} & 0 & \ldots & 0 \\ \vdots & \vdots & \vdots & \vdots & \vdots & \ddots & \vdots \\ 0 & 0 & 0 & 0 & 0 & \ldots & T_{0} \\ 0 & 0 & 0 & 0 & 0 & \ldots & 0 \\ 0 & 0 & 0 & 0 & 0 & \ldots & 0 \\ 0 & 0 & 0 & 0 & 0 & \ldots & 0 \\ \vdots & \vdots & \vdots & \vdots & \vdots & \ddots & \vdots \\ 0 & 0 & 0 & 0 & 0 & \ldots & 0 \\ T_{0} & 0 & 0 & 0 & 0 & \ldots & 0 \end{pmatrix} \in {{\mathbb{F}}_{2}\lbrack T\rbrack}^{d \times {d/2}}}},$ in particular, using 0, 1, . . . , to number rows, rows number d/2−1, . . . , d−2 are zero, and

$\;_{2}A = {{T_{0}\begin{pmatrix} 0 & 0 & \ldots & 0 & 0 & 1 & 0 & \ldots & 0 \\ 0 & 0 & \ldots & 0 & 0 & 0 & 1 & \ldots & 0 \\ \vdots & \vdots & \ddots & \vdots & \vdots & \vdots & \vdots & \ddots & \vdots \\ 0 & 0 & \ldots & 0 & 0 & 0 & 0 & \ldots & 1 \\ 1 & 0 & \ldots & 0 & 0 & 0 & 0 & \ldots & 0 \end{pmatrix}} \in {{\mathbb{F}}_{2}\lbrack y\rbrack}^{{d/2} \times d}}$

-   Definition 5.10 (The operation (·)^(⊙k)). For a matrix M={m_(ij)}     with entries in some ring and for an integer k, let M^(⊙k) be the     matrix obtained by raising each entry of M to the power of k:     M^(⊙k):={m_(ij) ^(k)}. -   Remark 5.11 Note that for matrices with entries in a ring of     characteristic 2, in particular, in     ₂[T], it holds that for all j∈     , (M₁M₂)^(⊙2) ^(j) =M₁ ^(⊙2) ^(j) M₂ ^(⊙2) ^(j) whenever M₁M₂ is     defined. This fact will be used without farther mention below. Note     also that in the case of characteristic 2, det(M^(⊙2))=det(M)² for a     square matrix M. -   Lemma 5.22 It holds that

0 = ( I d / 2 0 d / 2 × d / 2 ) ( 20 ) and for r≥1,

_(r) =A·A ^(⊙2) ·A ^(⊙4) . . . A ^(⊙2) ^(r−2) ·A ₁ ^(⊙2) ^(r−1) ,  (21) a total of r multiplied matrices. Consequently.

_(r)=₂ A·A ^(⊙2) ·A ^(⊙4) . . . A ^(⊙2) ^(r−2) ·A ₁ ^(⊙2) ^(r−1) .  (22)

-   Remark 5.23 For clarity, EQ. (21) is expressed explicitly for the     cases where r−2≤1, that is, for r≤3:     ₁=A₁,     ₂=A·A₁ ^(⊙2),     ₃=A·A^(⊙2)·A₁ ^(⊙4). -   Proof of Lemma 5.23: EQ. (20) follows directly from the definition     of     _(r), and then EQ. (24) follows from Lemma 5.18 by induction.     Finally, EQ. (22) follows from EQ. (21) and the definition of     _(r) as the last d/2 rows of     _(r).

It can now be proven that det(

_(r)) is not the zero polynomial.

-   Lemma 5.24: For even d≥4 and r≥d/2, det(     _(r))∈     ₂[T] is a non-zero polynomial of total

${degree} \leq {\frac{d}{2}\left( {2^{r} - 1} \right)}$

-   Proof. First, it will be proven by induction on r that det(     _(r)) is not the zero polynomial. For the basis, consider the case     r=d/2. Note that B:=A(1, 0, . . . , 0) represents the cyclic shift     left operator. Hence, if d/2≥3,     N:=B ^(⊙2) . . . B ^(⊙2) ^(d/2−2) =B ^(d/2−2)     represents the cyclic shift left by d/2−2 operator. Therefore,     N′:=N·A ₁(1,0, . . . ,0)^(⊙2) ^(d/2−1) =N·A ₁(1,0, . . . ,0)     is given by

$N^{\prime} = {\begin{pmatrix} 0 & 0 & \ldots & 0 & 1 \\ 0 & 0 & \ldots & 0 & 0 \\ \vdots & \vdots & \ddots & \vdots & \vdots \\ 0 & 0 & \ldots & 0 & 0 \\ 0 & 0 & \ldots & 0 & 0 \\ 1 & 0 & \ldots & 0 & 0 \\ 0 & 1 & \ldots & 0 & 0 \\ \vdots & \vdots & \ddots & \vdots & \vdots \\ 0 & 0 & \ldots & 1 & 0 \end{pmatrix}.}$ It follows that

_(d/2)(1, 0, . . . , 0)=₂ A(1, 0, . . . , 0)N′=I_(d/2), and (det(

_(d/2)))(1,0, . . . ,0)=1.  (23) For d/2=2, where

_(d/2)=₂A·A₁ ^(⊙2), it can be verified directly that

_(d/2)(1, 0, . . . , 0)=I_(d/2), so that EQ. (23) holds also for this case. This shows that det(

_(d/2))≠0∈

₂[T] and establishes the induction basis.

For the induction step, assume that r≥d/2+1 and the assertion is true for r−1. Write ₂A′:=₂ A/T₀∈

₂ ^(d/2×d), and note that ₂A′=(₂A′)^(⊙2). When by EQ. (22),

det ⁢ ( r ) = ⁢ T 0 d / 2 ⁢ det ⁡ ( ( 2 ⁢ A ′ ) ⊙ 2 · A ⊙ 2 ⁢ ⁢ … ⁢ ⁢ A ⊙ 2 r - 2 · A 1 ⊙ 2 r - 1 ) = ⁢ T 0 d / 2 ( det ⁡ ( ( 2 ⁢ ( A ′ ) · A ⁢ ⁢ … ⁢ ⁢ A ⊙ 2 r - 3 · A 1 ⊙ 2 r - 2 ) ) 2 . ( 24 ) Now, using 0, 1, . . . to index rows:

${\left( {}_{2}A^{\prime} \right) \cdot A} = {\begin{pmatrix} {{row}_{{d/2} + 1}(A)} \\ {{row}_{{d/2} + 2}(A)} \\ \vdots \\ {{row}_{d - 1}(A)} \\ {{row}_{0}(A)} \end{pmatrix}.}$ Cyclically shifting the rows results in the matrix

$\begin{matrix} {\begin{pmatrix} T_{1} & 1 & T_{d - 1} & \ldots & T_{{d/2} + 2} & T_{{d/2} + 1} & T_{d/2} & T_{{d/2} - 1} & \ldots & T_{3} & T_{2} \\ 0 & 0 & 0 & \ldots & 0 & 0 & 0 & T_{0} & \ldots & 0 & 0 \\ \vdots & \vdots & \vdots & \ddots & \vdots & \vdots & \vdots & \vdots & \ddots & \vdots & \vdots \\ 0 & 0 & 0 & \ldots & 0 & 0 & 0 & 0 & \ldots & T_{0} & 0 \\ 0 & 0 & 0 & \ldots & 0 & 0 & 0 & 0 & \ldots & 0 & T_{0} \\ T_{0} & 0 & 0 & \ldots & 0 & 0 & 0 & 0 & \ldots & 0 & 0 \end{pmatrix} \in {{{\mathbb{F}}_{2}\lbrack T\rbrack}^{{d/2} \times d}.}} & (25) \end{matrix}$ Write ₃A for the matrix in EQ. (25), and let

_(r):=₃ A·A ^(⊙2) ·A ^(⊙2) ² . . . A ^(⊙2) ^(r−2) ·A ₁ ^(⊙2) ^(r−2) . It follows from EQ. (24) that det(

_(r))≠0 iff det(

_(r))≠0. By the

₂[T]-linearity of the determinant in the first row, it is shown that

det ⁡ ( r ) = T d / 2 · det ⁡ [ ( 0 0 0 … 0 0 1 0 … 0 0 0 0 0 … 0 0 0 T 0 … 0 0 ⋮ ⋮ ⋮ ⋱ ⋮ ⋮ ⋮ ⋮ ⋱ ⋮ ⋮ 0 0 0 … 0 0 0 0 … T 0 0 0 0 0 … 0 0 0 0 … 0 T 0 T 0 0 0 … 0 0 0 0 … 0 0 ) · A ⊙ 2 ⁢ ⁢ … ⁢ ⁢ A ⊙ 2 r - 3 · A 1 ⊙ 2 r - 2 ] + det [ ( T 1 1 T d - 1 … T d / 2 + 2 T d / 2 + 1 0 T d / 2 - 1 … T 3 T 2 0 0 0 … 0 0 0 T 0 … 0 0 ⋮ ⋮ ⋮ ⋱ ⋮ ⋮ ⋮ ⋮ ⋱ ⋮ ⋮ 0 0 0 … 0 0 0 0 … T 0 0 0 0 0 … 0 0 0 0 … 0 T 0 T 0 0 0 … 0 0 0 0 … 0 0 ) · A ⊙ 2 ⁢ ⁢ … ⁢ ⁢ A ⊙ 2 r - 3 · A 1 ⊙ 2 r - 2 ] . Note that the following fact was used: for rows r₀, r′₀, r₁, r₂, . . . and for a matrix. M,

${\det\left( {\begin{pmatrix} {r_{0} + r_{0}^{\prime}} \\ r_{1} \\ r_{2} \\ \vdots \end{pmatrix} \cdot M} \right)} = {{\det\left( \begin{pmatrix} {{r_{0}M} + {r_{0}^{\prime}M}} \\ {r_{1}M} \\ {r_{2}M} \\ \vdots \end{pmatrix} \right)} = {{\det\left( {\begin{pmatrix} r_{0} \\ r_{1} \\ r_{2} \\ \vdots \end{pmatrix} \cdot M} \right)} + {{\det\left( {\begin{pmatrix} r_{0}^{\prime} \\ r_{1} \\ r_{2} \\ \vdots \end{pmatrix} \cdot M} \right)}.}}}$

Note also that the first determinant in the above sum equals det(

_(r−1))/T₀, and is therefore non-zero by the induction hypothesis. In addition, the first summand (T_(d/2)·det( . . . )) is the only one in which T_(d/2) may appear in an odd degree, and as the first determinant is non-zero and T_(d/2) appears in all its monomials in an even degree, the first summand must contain monomials whose T_(d/2)-degree is odd. As such monomials cannot be canceled by monomials in the second determinant, whose T_(d/2)-degree is essentially even, it can be concluded that det(

_(r))≠0, so that det(

_(r))≠0. This completes the proof that det(

_(r))≠0 for all r≥d/2.

As for the assertion regarding the total degree, note first that combining EQ. (22), the fact that all polynomials in A are either 1 or some T_(j), and the additivity of the total degree, it can be seen that the total degree of each entry in

_(r) is at most 1+2+ . . . +2^(r−1)=2^(r)−1. As the determinant of a d/2×d/2 matrix is a sum of products of d/2 entries, it follows that tot. deg(

_(r))≥(d/2) (2^(r)−1), as required.

Theorem 5.11 can now be proven.

-   Proof of Theorem 5.11: Take some x₀, . . . , x_(d−1)∈     _(q) ₂ . The condition that the x_(i) are     ₂-linearly independent can be expressed as g(x₀, . . . , x_(d−1))≠0     for     g(X ₀ , . . . ,X _(d−1)):=(X ₀ +X ₁)(X ₀ +X ₂) . . . (X _(d−2) +X     _(d−1)) . . . (X ₀ + . . . +X _(d−1)),     a product of 2^(d)−d−1 linear polynomials. In addition, assuming     that x₀, . . . , x_(d−1) are     ₂-linearly independent and writing U for the subspace that they     span, the coefficients a₀, . . . , a_(d−1) of ƒ_(U)=Π_(x∈U) (X+x)=X²     ^(d) +a_(d−1)X² ^(d−1) + . . . +a₀X are obtained by substituting     (x₀, . . . , x_(d−1)) in polynomials of total degrees≤2^(d)−2^(j)     for j=0, 1, . . . , d−1, respectively, in     ₂[X₀, . . . , X_(d−1)]. Substituting these polynomials from     ₂[X₀, . . . , X_(d−1)] for the T_(i) in det(     _(r)) with r=log₂(q), results in a polynomial h ∈     ₂[X₀, . . . , X_(d−1)] of total degree at most

( 2 d - 1 ) · tot · deg ⁡ ( det ⁡ ( r ) ) ≤ ( 2 d - 1 ) · d 2 ⁢ ( q - 1 ) , ( 26 ) where EQ. (26) follows from Lemma 5.24 and the fact that for a field K, a polynomial u∈K[Y₀, . . . , Y_(n) ₁ ⁻¹] and polynomials v₀, . . . , v_(n) ₁ ⁻¹∈K[Z₀, . . . , Z_(n) ₁ ⁻¹], tot. deg(u(v ₀ , . . . ,v _(n) ₁ ⁻¹))≤tot. deg(u)·max{tot. deg(v _(i))}_(i). To see the validity of the previous equation, take a monomial Y₀ ^(i) ⁰ . . . Y_(n) ₁ ⁻¹ ^(i) ^(n1−1) appearing in u, then by definition, Σi_(j)≤tot. deg(u). Substituting the v_(j) for the Y_(j) and using tot. deg(fg)=tot. deg(ƒ)+tot. deg(g), it is clear that the total degree after substitution is not greater than i₀·tot. deg(v₀)+ . . . +i_(n) ₁ ⁻¹·tot. deg(v_(n) ₁ ⁻¹)≤(Σi_(j))max{tot. deg(v_(i))}.

Write X:=(X₀, . . . , X_(d−1)). According to an embodiment, it should be shown that (gh) (X) has a non-zero in

_(q) ₂ ^(d). This will be accomplished with the Schwartz-Zippel lemma, which states that if ƒ∈K[Y₀, . . . , Y_(m−1)] is non-zero and has total degree δ (where K is some field, m∈

, and δ ∈

), and if S⊆K is a finite set, then the number of (y₀, . . . , y_(m−1))∈S^(m) for which ƒ(y₀, . . . , y_(m−1))=0 is at most δ·|S|^(m−1). However, it first needs to be shown that gh≠0. Since g(X) is obviously non-zero, it only needs to be shown that h(X)≠0. If h(X) is the zero polynomial in

₂[X], then for any extension field K of

₂ and for any d-dimensional

₂-subspace U of K, the result of substituting the a_(i) coming from Π_(x∈U) (X−x)=X² ^(d) +a_(d−1)X² ^(d−1) + . . . +a₀X for the T_(i) in det(

_(r)) is 0∈K. Suppose that |K|=Q where Q≥2^(d) is some power of 2. Noting that distinct subspaces result in distinct vectors (a₀, . . . , a_(d−1)), this means that the non-zero polynomial det(

_(r)) has at least

$N_{1}:=\frac{\left( {Q - 1} \right)\left( {Q - 2} \right)\left( {Q - 4} \right)\mspace{14mu}\ldots\mspace{14mu}\left( {Q - 2^{d - 1}} \right)}{\left( {2^{d} - 1} \right)\left( {2^{d} - 2} \right)\left( {2^{d} - 4} \right)\mspace{14mu}\ldots\mspace{14mu}\left( {2^{d} - 2^{d - 1}} \right)}$ zeroes. However, since

_(r)≠0 and tot. deg(det(

_(r)))≤d/2) (q−1), it follows from the Schwartz-Zippel lemma that the number of zeros of det(

_(r)) in K^(d) is at most Q^(d−1)(d/2)(q−1), which is in O(Q^(d−1)) for fixed d and q. As N₁=O(Q^(d)), a contradiction is obtained for large enough Q. This shows, that h(X)≠0.

As gh∈

₂[X] is a non-zero polynomial and

${{{tot} \cdot {\deg({gh})}} = {{{{tot} \cdot {\deg(g)}} + {{tot} \cdot {\deg(h)}}} \leq {{\left( {1 + {\frac{d}{2}\left( {q - 1} \right)}} \right)\left( {2^{d} - 1} \right)} - d}}},$ it follows from the Schwartz-Zippel lemma that the probability that a randomly drawn point (x₀, . . . , x_(d−1)) from (

_(q) ₂ )^(d) is a non-zero of gh is at least

$p:={1 - {\frac{{\left( {1 + {\frac{d}{2}\left( {q - 1} \right)}} \right)\left( {2^{d} - 1} \right)} - d}{q^{2} - 1}.}}$ For fixed d, p>0 if

${L(q)}:={{{\left( {\frac{1}{q - 1} + \frac{d}{2}} \right)\left( {2^{d} - 1} \right)} < {q + 1}}:={{R(q)}.}}$ Note that since L is monotonically decreasing with q while R is monotonically increasing with q, if L(2^(r))<R(2^(r)) for some r, then the same is true for all r′≥r.

Now, for even d≥4 and r=log₂(d2^(d−1)), it follows that

$\begin{matrix} {{L\left( 2^{r} \right)} = {\left( {\frac{1}{{d\; 2^{d - 1}} - 1} + \frac{d}{2}} \right)\left( {2^{d} - 1} \right)}} \\ {< {\left( {\frac{1}{{d\; 2^{d - 1}} - 1} + \frac{d}{2}} \right)2^{d}}} \\ {= {\frac{2}{d - \frac{1}{2^{d - 1}}} + {d\; 2^{d - 1}}}} \\ {\leq {1 + {d\; 2^{d - 1}}}} \\ {{= {R\left( 2^{r} \right)}},} \end{matrix}$ as required. 6. The Case d=4 and Additional Examples

For d=4, it follows that l₀=11, and the only integers j≤2^(d)−2=14 with wt₂(j)=d−1=3 are j=7, 11, 13, 14, of which only 7 is <l₀. Hence, by definition

⁢r = ( α 14 , 11 ( r ) α 7 , 11 ( r ) α 14 , 13 ( r ) α 7 , 13 ( r ) ) , ⁢ ⁢and ⁢ ⁢ det ⁡ ( r ) = α 14 , 11 ( r ) ⁢ α 7 , 13 ( r ) + α 7 , 11 ( r ) ⁢ α 14 , 13 ( r ) ⁢ = (* ) ⁢ a 0 ⁡ ( ( α 7 , 13 ( r ) ) 3 + α 7 , 11 ( r ) ⁡ ( α 7 , 14 ( r ) ) 2 ) , ( 27 ) recalling that a₀≠0 is the free coefficient of ƒ_(U)/X, where (*) follows from Lemma 5.18 by noting that by definition, α_(2i,j) ^((r))=α_(i,j) ^((r+1)), as (X ² ^(r) )^(2i)=(X ² ^(r+1) )^(i). In the following examples, the simplified notation α_(j) will be used for α_(7,j) ^((r)). With this notation, it follows from EQ. (27) that det({tilde over (M)}_(r))≠0 iff α₁₃ ³+α₁₁α₁₄ ²≠0. By Proposition 5.16, this is a sufficient condition for a simple repair scheme for the [16,12]

₂ _(2r) Reed-Solomon code defined on the subspace U.

-   Example 6.1 Consider the     ₂-linearized polynomial ƒ(X):=X¹⁶+X⁴+X∈     ₂[X]. It can be verified by direct substitution that this polynomial     splits in     ₂ ₆ . Hence, for q=2³=8, the set U of roots of ƒ in     _(q) ₂ is an     ₂-subspace. It can also be verified directly that     ( X ⁸)⁷ =X ² +X ⁸ +X ¹¹ +X ¹⁴,     so that with the above notation, α₁₃=0, α₁₁≠0, and α₁₄≠0, and it     follows that α₁₃ ³+α₁₁α₁₄ ²≠0. Hence, Condition (**) holds, and the     [16,12]     ₂ ₆ Reed-Solomon code defined on U has a simple repair scheme. -   Example 6.2 Consider the case q=2^(r) with r=4, represent     _(q) ₂ =     ₂ ₈ s as     ₂[X]/(X⁸+X⁴+X³+X²+1), and let α be the image of X. It can be     verified that α is a primitive element of     ₂ ₈ *. Consider the     ₂-subspace U spanned by {1,α,α²,α³} and the Reed-Solomon code C     defined on U. Using any computer algebra software, it can be     verified that α₁₁=α²⁴⁹, α₁₃=α¹⁷¹, α₁₄=α¹⁷⁶, and α₁₁α₁₄ ²+α₁₃     ³=α⁴³¹≠0. Hence, C has a simple repair scheme. Note that an     alterative way to see this is to calculate the dimensions involved     in Condition (**) directly, say, by Gaussian elimination.

C can be shortened to obtain a [14,

shortened Reed-Solomon code. For this shortened code, repairing any single erased coordinate requires reading, a total of only 13·4=52 bits from the remaining coordinates. Note that in the best existing repairing scheme for the [14,

Facebook FUNS code, repairing a single erased coordinate requires reading a total of 64 or 60 bits, depending on the erased coordinate, from the non-erased coordinates.

-   Example 6.3 The cases of q=2^(r) with r∈{5,6,7} can be considered in     a similar way. The following table presents for each r∈{5,6,7} the     minimal polynomial of a primitive element α of     ₂ _(2r) , as well as the relevant coefficients from the above     discussion. In all cases, U is the     ₂-subspace spanned by {1,α,α²,α³}. It can be seen that α₁₁α₁₄ ²+α₁₃     ³≠0 in all cases, and hence the Reed-Solomon code defined on U has a     simple repair scheme,

minimal polynomial α₁₁α₁₄ ² + r of α α₁₁ α₁₃ α₁₄ α₁₃ ³ parameters 5 X¹⁰ + X³ + 1 α⁶⁹⁹ α⁸⁷² α⁵⁸³ α⁴³¹ [16,  

  6 X¹² + X⁶ + α²¹¹⁹ α²⁶⁷⁶ α¹⁵¹⁶ α²⁸⁵⁵ [16, X⁴ + X + 1  

  7 X¹⁴ + X¹⁰ + α¹²⁹⁰⁸ α⁹⁰⁷⁸ α¹⁵³²⁵ α¹¹⁶⁶⁵ [16, X⁶ + X + 1  

 

-   Example 6.4 This example considers the case of dimension d=6. Let     q=2⁴, so that q²=2⁸, and let U be     ₂-subspace spanned by 1, α, . . . , α⁵, where α is as in Example     6.2. Then it can be verified by direct Gaussian elimination that     Condition (**) holds for l=l₀=55. This gives a [64,     Reed-Solomon code with a simple     ₂ ₄ -linear repair scheme.     7. Extensions of Degree>2

While the proofs given in the previous sections consider only the case of extensions

₂ _(2r) /

₂ _(r) of degree 2, some concrete examples below show that it is also possible to work with extensions

₂ _(mr) /

₂ _(r) of degree m>2. In such a case.

₂-subspaces U⊆

₂ _(2r) of degree d divisible by m are considered. As demonstrated in examples below, it is possible in many cases to choose a subspace U as above such that an RS code of dimension k with evaluation set U has a simple

₂ _(r) -linear repair scheme, as long as

$k \leq {2^{d} - {2^{d - \frac{d}{m}}.}}$ Recall that in such a case, if a single coordinate is erased, then each of the non-erased cc ordinates has to transmit only 1/m of its content to reconstruct the erased coordinate.

-   Example 7.1. Let the field     ₂ ₁₂ be represented as     ₂[X]/X¹²+X⁶+X⁴+X+1), and let α be the image of X. Then it can be     verified that α is a primitive element. Let U⊆     ₂ ₁₂ be the     ₂-span of {1, α, . . . , α⁷}. Then d:=dim(U)=8. Consider the     subfield     ₂ ₃ of     ₂ ₁₂ , with m:=[     ₂ ₁₂ :     ₂ ₃ ]=4. Then it can be verified by Gaussian elimination that     Condition (**) holds for the RS code of dimension

$k:={{2^{d} - 2^{d - \frac{d}{m}}} = 192}$ defined on U. This gives a [256,192]

₂ ₁₂ RS code with a simple

₂ ₃ -linear repair scheme. If a single coordiante is erased, then each non-erased coordinate has to transmit only 3 bits, that is, ¼ of its content, for repairing the erased coordinate.

-   Example 7.2, For the field     ₂ ₁₂ represented as in the previous example, consider the subfield     ₂ ₄ , for which m:=[     ₂ ₁₂ :     ₂ ₄ ]=3. Let U⊂     ₂ ₁₂ be the     ₂-span of {1, α, . . . , α⁵}, with d:=dim(U)=6. Then it can be     verified by Gaussian elimination that Condition (**) holds for the     RS code of dimension

$k:={{2^{d} - 2^{d - \frac{d}{m}}} = 48}$ defined on U. This gives a [64,

RS code with a simple

₂ ₄ -linear repair scheme. If a single coordiante is erased, then each non-erased coordinate has to transmit only 4 bits, that is, ⅓ of its content, for repairing the erased coordinate.

-   Example 7.3. Let the field     ₂ ₀ be represented as     ₂[X]/(X⁹+X⁴+1), and let a he the image of X. Then it can be verified     that α is a primitive element. Let U⊂     ₂ ₉ be the     ₂-span of {1, α, . . . , α⁵}. Then d:=dim(U)=6. Consider the     subfield     ₂ ₃ of     ₂ ₉ , with extension degree m=3. Then it can be verified by Gaussian     elimination that Condition (**) holds for the RS code of dimension

$k:={{2^{d} - 2^{d - \frac{d}{m}}} = 48}$ defined on U. This gives a [64,

RS code with a simple

₂ ₃ -linear repair scheme. If a single coordinate is erased, then each non-erased coordinate has to transmit only 3 bits, that is, ⅓ of its content, for repairing the erased coordinate. 8. Low-Bandwidth Repair Algorithm For Reed-Solomon (RS) Codes

A repair algorithm according n an embodiment of the disclosure includes two parts: an offline pre-processing part, and an online part. In the offline part, the various blocks used by the online part are prepared. In the online part, data is encoded using the RS code constructed in the offline part, and erasures are decoded if necessary.

If there is a single erasure, then, using the blocks constructed in the of part, the single erased coordinate can, be corrected with a low repair bandwidth, in that only a small, part of the content of the non-erased coordinates is transmitted to reconstruct the erased coordinate, where “small part” will be defined below.

If there are two or more erasures, then standard erasure-decoding techniques for RS codes are used, and there is no gain in repair bandwidth. However, since single erasures are much more common in practice than multiple erasures, there is it in supporting low-bandwidth repairs for the case of a single erasure.

In what follows, for a field E to be defined below, 1: =(1, . . . , 1)∈E^(n−1) is the vector of n−1 ones, 0: =(0, . . . , 0)∈E^(n−1) is the vector of n−1 zeros, and (·)^(T) stands for vector and matrix transposition. In addition, for a field L, a subset I⊆L, and a positive integer k≤|l|, the RS code with evaluation set I and dimension k is defined as the set of length-|l| vectors in L^(|l|) obtained by evaluating all polynomials ƒ∈L[X] of degree up to k−1 on the points of I. Explicitly, letting I={x₁, . . . , x_(n)}, with n:=|I|, then the above RS code can be defined as {(ƒ(x ₁), . . . ,ƒ(x _(n)))|ƒ∈L[X],deg(ƒ)≤k−1{. In addition, a stripe according to an embodiment can have up to

$k:={2^{d} - 2^{d - \frac{d}{m}}}$ symbols of information, and

$2^{d - \frac{d}{m}}$ symbols of parity, where d, m are as defined above. For example, when d=4 and m=2, there can be up to 12 symbols of information, and 4 symbols of parity. Offline Part

The inputs of an offline part of an algorithm according to an embodiment are as follows,

-   -   Integers r≥1, m≥2 defining finite fields F:=F₂ _(r) ⊆F₂ _(mr)         =:E. Note that as an F-vector space, E is isomorphic to F^(m).     -   A primitive element β∈F₂ _(r) =F and its minimal polynomial         p₁(X)∈F₂[X] over F₂, so that deg(p₁(X))=r. Let         F′:=F₂[X]/(p₁(X)), Note that F′≅F, as these are two isomorphic         copies of F₂ _(r) . In addition let β′ be the image of the         polynomial X in F′:=F₂[X]/(p₁(X)), that is β′:=X+(p₁(X)).     -   A primitive element α∈F₂ _(mr) =E and its minimal polynomial         p₂(X)∈F₂[X] over F₂, so that deg(p₂(X))=mr.     -   A positive integer d≤mr, the dimension over F₂, divisible by m.         The length n constructed codes according to embodiments is then         n:=2^(d), and their maximum possible dimension is

${k:={2^{d} - 2^{d - \frac{d}{m}}}},$

-   -   i.e., can have up to k symbols of information, and

$2^{d - \frac{d}{m}}$

-   -   symbols of parity, where d, m are as defined above. For example,         when d=4 and m=2, there can be up to 12 symbols of information,         and 4 symbols of parity.

Note that lengths 2^(d−1)<n₀≤2^(d) can be obtained by shortening. For simplicity, embodiments will only consider the case of n₀=n=2^(d).

The outputs of an offline part of an algorithm according to an embodiment are as follows.

-   -   An F₂-vector subspace V⊆E with dim_(F) ₂ (V)=d, that is, with         |V|=2^(d)=n, which will be the evaluation set for the         constructed RS code. According to an embodiment, V is given by         stating its n elements, which will be enumerated for convenience         as follows: V={0=u₀, u₁, . . . , u_(n−1)}, where the u_(j) are         elements of E.     -   A “vector of projections” v∈E^(n−1) whose n−1 entries will be         used by the n−1 non-erased coordinates in the reconstruction         process of a single erased coordinate.     -   A “gluing matrix” A′∈(F′)^(m×(n−1)) that will be used for         “gluing” individual transmissions from the n−1 non-erased         coordinates.     -   An “embedding matrix” M₁∈F₂ ^(mr×r).     -   An “inverse embedding matrix” M∈F₂ ^(r×mr).     -   A particular basis B_(F/E)={x₁, . . . , x_(m)}⊆E for E as an         F-vector space. This particular basis will be used in the final         step of reconstructing a single erased coordinate.     -   A matrix G₁∈F^(k×x(n−k)) used for systematic encoding.

With the inputs and outputs defined as above, an offline part of an, algorithm according to an embodiment is as follows, with reference to the steps of the flowchart of FIGS. 1A-B. The flowchart starts on FIG. 1A.

-   Step 101: For i=0, . . . , d−1, let b_(i):=α^(i), and let B_(V/F) ₂     :={b₀, . . . b_(d−1)}.     -   Alternatively, according to other embodiments, B_(V/F) ₂ can be         a random set of F₂-independent elements in E. Such a random set,         may be obtained by successively drawing d elements, until the d         drawn elements are indeed linearly independent. -   Step 102: Let V={u₀=0, u_(n−1)}⊂E be the F₂-subspace spanned by     B_(V/F) ₂ .     -   Note that |V|=n, for n=2^(d). According to an embodiment, if the         binary expansion of i∈{0, . . . , 2^(d)−1} is (i₀, i₁, . . . ,         i_(d−1))∈{0,1}^(d), so that i=Σ_(a=0) ^(d−1) i_(a)2^(a), then         u_(i):=Σ_(a=0) ^(d−1) i_(a)b_(a) -   Step 104: For i=1, . . . , n−1, set v_(i):=1/u_(i) and output     v:=(v₁, . . . , v_(n−1)) -   Step 105: Define the following matrices G∈E^(k×n), H′,     G′∈E^((k−1)×(n−1)), and H″ ∈E^(k×(n−1)),     -   where:

${G:={\begin{pmatrix} 1 & 1 & \ldots & 1 \\ 0 & u_{1} & \ldots & u_{n - 1} \\ 0 & u_{1}^{2} & \ldots & u_{n - 1}^{2} \\ \vdots & \vdots & \ddots & \vdots \\ 0 & u_{1}^{k - 1} & \ldots & u_{n - 1}^{k - 1} \end{pmatrix} = \begin{pmatrix} 1 & 1 \\ 0^{T} & G^{\prime} \end{pmatrix}}},\left( {{this}\mspace{14mu}{defines}\mspace{14mu}{both}\mspace{14mu} G\mspace{14mu}{and}\mspace{14mu} G^{\prime}} \right),{H^{\prime}:={G^{\prime} \cdot \begin{pmatrix} v_{1} & \; & \; \\ \; & \ddots & \; \\ \; & \; & v_{n - 1} \end{pmatrix}}},{{{and}\mspace{14mu} H^{''}}:={\begin{pmatrix} v \\ H^{\prime} \end{pmatrix}.}}$

-   Step 106: Calculate dim_(F)(C′) and dim_(F)(C″), where     C′:={c∈F^(n−1)|H′c^(T)=0}, the F-subfield subcode of the code with     parity-check matrix H′, and C″:={c∈F^(n−1)|H″c^(T)=0}, the     F-subfield subcode of the code with parity-check matrix H″.     According to embodiments, these two dimensions can be found, e.g.,     by Gaussian elimination. According to an embodiment, dim_(F)(C′) can     be calculated as follows: first, replace each entry of H′ by a the     length-m column vector of coefficients according to some basis of     E/F. This results in an [m(k−1)]×(n−1) matrix with entries in F.     After performing Gaussian elimination to this last matrix, let a be     the number of non-zero rows. Then dim_(F)(C′)=n−1−a. -   Step 107: Check if δ:=dim_(F)(C′)−dim_(F)(C″)=m. If δ=m, then     continue to the next step.     -   Otherwise, in which case essentially δ<m, then let B_(V/F) ₂ be         a new random set of F₂-independent elements in E, drawn         independently from any previous drawing, and return to Step 102. -   Step 108: Output the vector space V.     -   The flowchart continues on FIG. 1B. -   Step 109: Find m linearly independent vectors c₁, . . . ,     c_(m)∈F^(n−1) that complete a basis, of C″ to be a basis of C′.     According to an embodiment, this can be done as follows.     -   (1) Let Γ′∈F^(dim) ^(F) ^((C′)×(n−1)) be a generator matrix for         C′ of the form Γ′=(l|Γ₁′), where the identity matrix appears in         columns j′₁, . . . , j′_(dim) _(F) _((C′)).     -   (2) Let Γ″∈F^(dim) ^(F) ^((C″)×(n−1)) be some generator matrix         for C″, and let Γ₁″∈F^(dim) ^(F) ^((C″)×dim) ^(F) ^((C′)) be the         matrix comprising the columns of Γ″ with indices j′₁, . . . ,         j′_(dim) _(F) _((C′)), where the rows of Γ₁″ are the         coefficients of the rows of Γ″ with respect to the basis Γ′ for         the larger code C′.     -   (3) After performing Gaussian elimination to Γ″, let j″₁, . . .         , j″_(dim) _(F) _((C″))∈{1, . . . , dim_(F)(C′)} be column         indices for an identity matrix appearing in the resulting         matrix.     -   (4) Let c₁, . . . , c_(m) be the rows of Γ′ with indices not in         {j″₁, . . . , j″_(dim) _(F) _((C″))}. -   Step 110: Let A∈F^(m×(n−1)) be a matrix with rows c₁, . . . , c_(m).     -   At this stage, according to an embodiment, the m elements of the         vector y=(y₁, . . . , y_(m))^(T):=Av^(T)∈E^(m) are linearly         independent over F, and hence constitute a basis for E over F.         An offline part of an algorithm according to an embodiment         continues as follows.

Step 111: Let B_(F/E)={x₁, . . . , x_(m)}⊂E be the dual basis of {y₁, . . . , y_(m)} with respect to the trace map E→F, and output B_(F/E). The trace tap Tr:E→F, defined above in Def. 2.1, can equivalently be defined by u

Σ_(i=0) ^(m−1) u^(|F|) ^(i) . For a basis {y₁, . . . , y_(m)} of E/F, the dual basis is the set {x₁, . . . , x_(m)} satisfying

${{Tr}\left( {x_{i}y_{j}} \right)} = \left\{ {{\begin{matrix} 1 & {{{if}\mspace{14mu} i} = j} \\ 0 & {{{if}\mspace{14mu} i} \neq j} \end{matrix}\mspace{14mu}{for}\mspace{14mu}{all}\mspace{14mu} i},{j.}} \right.$

-   Step 112: Let M₁∈F₂ ^(mr×r) be the matrix whose j-th column, j=0, .     . . , r−1, is the length-mr binary representation of β^(j) according     to the basis {1, α, . . . , α^(mr−1)} of E over F₂. Output M₁. -   Step 113: Find a matrix T∈F₂ ^(mr×mr) such that the r×r identity     matrix appears in TM₁.     -   According to an embodiment, such a matrix can be found by, e.g.,         Gaussian elimination. Let M∈F₂ ^(r×mr) be r rows of T with         indices supporting an r×r identity matrix in TM₁. Output M. -   Step 114: Let each entry of the matrix A from step 110 be a column     vector in F₂ ^(mr) according to the basis {1, α, . . . , α^(mr−1)}     of E over F₂, and let A′∈(F′)^(m×(n−1)) be the matrix obtained by     replacing each entry a_(ij) of A by Ma_(ij), where this last column     vector in F₂ ^(r) is the representation of an element of F′     according to the basis {1, β′, . . . , (β′)^(r−1)} of F′ over F₂.     Output A′.

Step 115: Obtain a matrix of the form (I_(k)|G₁) from matrix G∈E^(k×n) of Step 105, where G₁∈E^(k×(n−k)). According to an embodiment, such a matrix can be obtained by e.g., Gaussian elimination. Output G₁.

Online Part

According to embodiments, during online operation, incoming messages are encoded and stored in individual unreliable storage nodes. When it is found that one or more nodes have failed and its data is erased, erasure-correction algorithms are used to restore the erased data. In the common case of a single node failure, algorithms according to embodiments of the disclosure can be used. Otherwise, if more than one node fails, standard erasure-correction methods for RS codes can be used.

According to embodiments, a systematic encoding algorithm is presented, because it is the one most likely to be used in practice. Note however, that single-erasure-decoding algorithms according to other embodiments are not limited to systematic encoding, and any encoding for the code C_(RS) with generator matrix (I_(k)|G₁) may be used. For example the generator matrix G from Step 105 of FIG. 1 may be used.

i. Systematic Encoding

-   Inputs: Row data vector x∈E^(k). -   Output: A codeword y∈C_(RS)⊂E^(n) corresponding to x. -   Algorithm: Output y=(y₀, . . . , y_(n−1)):=(x|xG₁) where G₁ was     obtained in an offline stage according to an embodiment.     ii. Single-Erasure Decoding

According to an embodiments, it is assumed that the entries y_(j) of y are stored in n different storage nodes, labeled 0, . . . , n−1. If exactly one node j₀ fails, a following algorithm according to an embodiment can be used for restoring y_(j) ₀ . As indicated below, an algorithm according to an embodiment can be performed by both a controller U and each of the n−1 surviving nodes.

The inputs of an online part of a single erasure decoding algorithm according to an embodiment are the failed node index, j₀. It should be noted that U can learn the failed node index j₀, by, e.g., periodically scanning nodes and checking their status.

The outputs of an online part of a single-erasure decoding algorithm according to an embodiment are a restored value for y_(j) ₀ output by U. This value may then be re-stored in node j₀.

Each storage node can store a different vector of length n−1, call it w(i) for node i. The j-th entry of w(i) is used by node i in the process of reconstructing the j₀-th failed node in a predefined enumeration of all nodes but i. In such a setup, the controller can send surviving node i the index j₀ of the failed node, and node i then multiplies its content by w(i)_(j) for

$j = {{j\left( {i,j_{0}} \right)} = \left\{ \begin{matrix} j_{0} & {{{if}\mspace{14mu} j_{0}} < i} \\ {j_{0} - 1} & {{{if}\mspace{14mu} j_{0}} > i} \end{matrix} \right.}$ and then takes the trace of the result, converts the result to a compact representation and transmits the compact representation to the controller. The vector w(i)∈(F₂ _(mr) )^(n−1) used by node i has n−1 elements and are all different permutations of a vector v whose entries are the inverses of the non-zero elements in the evaluation set. Moreover, the w(i) are typically different for different nodes i's.

With the inputs and outputs defined as above, an online part of an algorithm according to an embodiment is as follows, with reference to the steps of the flowchart of FIG. 2.

-   Step 20: Identifying, by U, a failed storage node. The failed node     has identifier j₀. -   Step 21: U transmits a permutation of surviving node identifiers to     all surviving nodes.     -   According to an embodiment, U reduces the task to an equivalent         task of correcting a failed node with index 0, as follows: For         all i≠j₀, U calculates j′ as the unique index in {1, . . . ,         n−1} such that u_(j′)=u_(j) ₀ +u_(i), and sends j′ to node i.         Alternatively, U may just send the index j₀ of the erased node         to each surviving node i, and node i calculates itself j′ as         described above. -   Step 22: Each surviving node extracts the part of its content     required for reconstruction, as follows: For all i≠j₀, node i     calculates out_(i):=Tr(v_(j′)·c_(i))=Σ_(a=0)     ^(m−1)(v_(j′)·c_(i))^(|F|) ^(a) . Note that out_(i) is in an     isomorphic copy of F₂ _(r) inside F₂ _(mr) , and therefore can be     represented by r bits, instead of mr bits. -   Step 23: Each surviving node i reduces the size of its content by     converting out_(i) to a r-bit representation     _(i). According to embodiments, them are several possible ways for     doing this, for example:     -   1. If elements of F₂ _(mr) are represented as length-m vectors         in (F₂ _(r) )^(m) according to the basis 1, α, . . . , α^(m−1)         of F₂ _(mr) over F₂ _(r) , then out has the form (γ, 0, . . .         , 0) for some γ∈F₂ _(r) , and node i may define         _(i):=γ     -   2. If elements of F₂ _(mr) are represented as length-mr vectors         of bits in F₂ ^(mr) according to the basis 1, α, . . . ,         α^(mr−1) of F₂ _(mr) over F₂, then out_(i) can be regarded as a         binary column vector in F₂ ^(mr). In this case, the matrix M∈F₂         ^(r×mr) calculated in an offline pre-processing stage according         to an embodiment may be used for obtaining         _(i):=M·out_(i). According to an embodiment, this option will be         assumed hereinafter, however, embodiments are not limited         thereto.     -   Each surviving node i, i≠j₀, then returns its extracted part         _(i) to U. Hence, each surviving node transmits only r bits         instead of the total stored mr bits. -   Step 24: U reconstructs the erased symbol y_(j) ₀ from the received     reduced-size data, as follows, with reference to the flowchart of     FIG. 3.     -   1. For all a=1, . . . , n−1, U defines z_(a):=         _(i) for the unique i≠j₀ for which j′=a, and defines z:=(z₁, . .         . , z_(n−1))∈(F′)^(n−1). Recall that j′ was defined above in         Step 21. (Step 31)     -   2. U calculates t^(T)=(t₁, . . . , t_(m))^(T):=A′z^(T)∈(F′)^(m)         using the matrix A′∈(F′)^(m×(n−1)) stored in an offline stage         according to an embodiment. (Step 32)     -   3. U embeds the elements of t∈(F′)^(m) in E to obtain a vector         w∈F^(m). According to an embodiment, one possible way to do this         is to use the matrix M₁∈F₂ ^(mr×r) calculated in an offline         stage according to an embodiment as follows. If each coordinate         t_(a) of t is represented as a length-r binary column vector         according, to the basis 1, β′, . . . , (β′)^(r−1) of F′ over F₂,         then U can calculate w_(a):=M₁·t_(a) for a=1, . . . , m and         output w:=(w₁, . . . , w_(m)). Each entry of w is then a vector         representation of an element of E, according to the basis {1, α,         . . . , α^(mr−1)}. (Step 33)     -   4. Finally, U restores the erased symbol by calculating         y_(i)=Σ_(a=1) ^(m) w_(a)x_(a) (multiplication and addition of         E), recalling that B_(F/E)={x₁, . . . , x_(m)}⊂E was stored in         an offline stage according to an embodiment. (Step 34) -   Step 25: U outputs the reconstructed data symbol y_(i).

Note that it is only possible to re-store the value in node j₀ if the failed node had a temporary failure. According to embodiments, if the node is considered lost, then the reconstructed data can be stored on a different node. According to other embodiments, the reconstructed data is not re-stored at all, but is rather re-calculated (erasure decoding) and sent to the user each time the user wishes to access the data stored on the failed node. In such a case, each time the user wishes to access the data, much more data than the required lost block has to be read from the non-failed nodes for reconstruction.

Alternatively, according to other embodiments of the disclosure, the overall action of steps 22 and 23 can be represented by an r×mr binary matrix V_(j)∈F₂ ^(r×mr) that can be pre-computed, depending on the basis of F₂ ^(mr) over F₂ used for representing elements. In detail, one can pre-compute “overall” matrices V₁, . . . , V_(n−1)∈F₂ ^(r×mr), and instead of the current steps 22 and 23, use a single combined step in which node j multiplies its content, regarded as a length-mr binary vector according to the above basis, by the binary matrix V_(j′) to obtain the required length-r binary vector

_(i).

In other embodiments of the disclosure instead of storing the vector v and using its j′-th entry, v_(j′), for the j′ defined by Step 21, above, it is possible to use a different method, in which node i stores a different vector w(i), depending on i, and uses its j=j(i,j₀)-th entry, for

${j\left( {i,j_{0}} \right)}:=\left\{ {\begin{matrix} j_{0} & {{{if}\mspace{14mu} j_{0}} < i} \\ {j_{0} - 1} & {{{if}\mspace{14mu} j_{0}} > i} \end{matrix}.} \right.$ In an alternative embodiment, all nodes store the vector v. When node j₀ fails, the controller tells surviving node i, for all i≠j₀: “node j₀ failed, calculate j′ by yourself”. Then, each surviving node calculates j′, depending on its own index i and the failed node index j₀, by using the above formula, and, as before, uses w(i)_(j)=v_(j′). In another alternative embodiment, instead of letting node i calculate j′, the right permutation of v is pre-calculated and stored: its first entry is the entry that has to be used when node 0 fails, . . . its (i−1)-th entry is the entry that has to be used when node i−1 fails, its i-th entry is the entry that has to be used when node i+1 fails, etc. Explicitly, define, for all j₀ ∈{0, . . . , i−1, i+1, . . . , n}, w(i)_(j(i,j) ₀ ₎:=v_(j′), where j(i,j₀) was defined above, and j′ is as above. Note that when j₀=0, . . . , i−1, i+1, . . . , n, it holds that j(i,j₀)=0, . . . , n−1, as it should. There are n=2^(d) different vectors w(i), one for each node. These vectors are pre-computed in the offline stage, and stored in the respective n nodes, i.e., w(i) is stored on node i for all i. In some cases, this may be a favorable method, because it avoids the online permutation calculation by both the controller and the surviving nodes.

It is to be understood, however, that the above scenario, in which an algorithm according to an embodiment is performed by a controller U and of the n−1 surviving nodes, is exemplary and non-limiting, and the situation can differ in actual practice. It is possible, for example, that one node coordinates the encoding and reconstruction processes but does not actually performs them, or performs only part of the encoding/reconstruction.

For example, in Hadoop File System (HDFS), developed by the Apache Software Foundation, which is a distributed file system there is a module called HDFS RAID (RAID stands for Redundant Array of independent Disks, and is typically, related to erasure coding) that works roughly as follows. In HDFS RAID, there is a node called RaidNode that coordinates the encoding and decoding related to the erasure code, but need not actually perform them.

For encoding the RaidNode periodically scans all paths that should be erasure encoded, and selects large enough files that have not been recently modified. Once it selects a source file, it iterates over all its stipes and creates the appropriate number of parity blocks for each stripe. The actual calculation of the parity blocks may be performed locally at the RaidNode (“LocalRaidNode”), or distributed to other machines (“DistributedRaidNode”). The LocalRaidNode configuration is similar to what is described in the present disclosure.

For one case of decoding, BlockFixer, a program that runs at the RaidNode, periodically inspects the health of all relevant paths. When a file with missing or corrupt blocks is encountered, these blocks are decoded after a (parallel) read of a sufficient amount of data from the surviving nodes. Once again, the actual computation of the missing blocks may be performed either locally at the RaidNode (“LocalBlockFixer”), or distributed to one or more other machines (“DistBlockFixed”). Embodiments of the disclosure can be incorporated into the distributed case.

Note that the above decoding is a result of a periodic scan. Recall that there is also a case where the user (“client”) itself finds out that there are erasures when trying to read a file. In HDFS RAID, the client implements the DRFS (Distributed RAID File System) client software, which can locally reconstruct such erased blocks, and acts as “U”. In this case, the client does not re-store the reconstructed blocks: these reconstructed blocks are sent to higher layers and discarded. In this case, the client has to re-calculate the missing blocks every time the file is read.

9. System Implementations

It is to be understood that embodiments of the present disclosure can be implemented in various forms of hardware, software, firmware, special purpose processes, or a combination thereof. In one embodiment, the present disclosure can be implemented in hardware as an application-specific integrated circuit (ASIC), or as a field programmable gate array (FPGA). In another embodiment, the present disclosure can be implemented in software as an application program tangible embodied on a computer readable program storage device. The application program can be uploaded to, and executed by, a machine comprising any suitable architecture.

FIG. 4 is a block diagram of a system for repairing corrupted Reed-Solomon codes, according to an embodiment of the disclosure. Referring now to FIG. 4, a computer system 41 for implementing the present invention can comprise, inter alia, a central processing unit (CPU) or controller 42, a memory 43 and an input/output (I/O) interface 44. The computer system 41 is generally coupled through the I/O interface 44 to a display 45 and various input devices 46 such as a mouse and a keyboard. The support circuits can include circuits such as cache, power supplies, clock circuits, and a communication bus. The memory 43 can include random access memory (RAM), read only memory (ROM), disk drive, tape drive, etc., or a combinations thereof. The present disclosure can be implemented as a routine 47 that is stored in memory 43 and executed by the CPU or controller 42 to process the signal from the signal source 48. As such, the computer system 41 is a general purpose computer system that becomes a specific purpose computer system when executing the routine 47 of the present invention. Alternatively, as described above, embodiments of the present disclosure can be implemented as an ASIC or FPGA 47 that is in signal communication with the CPU or controller 42 to process the signal from the signal source 48.

The computer system 41 also includes an operating system and micro instruction code. The various processes and functions described herein can either be part of the micro instruction code or part of the application program (or combination thereof) which is executed via the operating system. In addition, various other peripheral devices can be connected to the computer platform such as an additional data storage device and a printing device.

It is to be further understood that, because some of the constituent system components and method steps depicted in the accompanying figures can be implemented in software, the actual connections between the systems components (or the process steps) may differ depending upon the manner in which the present invention is programmed. Given the teachings of the present invention provided herein, one of ordinary skill in the related art will be able to contemplate these and similar implementations or configurations of the present invention.

While the present invention has been described in detail with reference to exemplary embodiments, those skilled in the art will appreciate that various modifications and substitutions can be made thereto without departing from the spirit and scope of the invention as set forth in the appended claims.

APPENDIX

A. A Calculation for the Proof of Proposition 5.10

${{For}\mspace{14mu}\ell_{0}}:=\left\{ {\begin{matrix} {2^{d} - 2^{d/2} - 1} & {{if}\mspace{14mu} d\mspace{14mu}{is}\mspace{14mu}{even}} \\ {2^{d} - 2^{{({d + 1})}/2} - 1} & {{if}\mspace{14mu} d\mspace{14mu}{is}\mspace{14mu}{odd}} \end{matrix},{A:={\left\{ {i \in \left\{ {0,\ldots\mspace{14mu},{\ell_{0} - 1}} \right\}} \middle| {{{wt}_{2}(i)} > {{wt}_{2}\left( {\ell_{0} - 1} \right)}} \right\} }},{{{and}B}:={\left\{ {i \in \left\{ {\ell_{0},\ldots\mspace{14mu},{2^{d} - 2}} \right\}} \middle| {{{wt}_{2}(i)} \leq {{wt}_{2}\left( {\ell_{0} - 1} \right)}} \right\} }},} \right.$ it should be shown that 2^(d)−3−l ₀ ≥A+B.  (28)

Suppose first that d is even. Then the binary expansion of l₀−1=2^(d)−2^(d/2)−2 is, with the MSB on the left:

d − 1 d − 2 . . . d/2 + 1 d/2 d/2 − 1 d/2 − 2 . . . 1 0 1 1 . . . 1 0 1 1 . . . 1 0 In particular, wt₂(l₀−1)=d−2.

Note that the usual ordering of the integers corresponds to the lexicographic ordering of the binary expansions. Hence an expansion represents a number k≤l₀−1 with wt₂(k)=d−1, which is the only possibility of a weight>wt₂(l₀−1) for a number≤l₀−1, iff the single 0 in its binary expansion is to the left of the 0 in position d/2 in the expansion of l₀−1. Hence, there are exactly d/2−1 such numbers k, so that. A=d/2−1.

Similarly, a number k is strictly larger than l₀−1 iff its binary expansion has 1 in the first coordinate from the left in which it differs from the binary expansion of l₀−1. Since only numbers k with wt₂(k)≤wt₂(l₀−1) are of interest, k=l₀ is excluded, and the remaining numbers are exactly the numbers k with binary expansion of the form

d − 1 d − 2 . . . d/2 + 1 d/2 d/2 − 1 d/2 − 2 . . . 0 1 1 . . . 1 1 ? ? . . . ?

where the sub-vector with question marks may be any binary vector of length d/2 and weight≤d−2−d/2=d/2−2. The total number of such vectors is B=2^(d/2)−d/2−1. There are now explicit expressions for both A and B, and it is straightforward to verify that EQ. (28) holds with equality.

The case where d is odd is similar: now the binary expansion of l₀−1 is

(d + 1)/ (d + 1)/ (d − 1)/ (d − 1)/ d − 1 d − 2 . . . 2 + 1 2 2 2 − 1 . . . 1 0 1 1 . . . 1 0 1 1 . . . 1 0

The numbers A and B are determined as above: there are A=(d−1)/2−1 ways to place a single zero to the left of the zero at index (d+1)/2 of the binary expansion of l₀−1, and there are B=2^((d+1)/2)−(d+1)/2−1 binary vectors of length (d+1)/2 with weight≤d−2−(d−1)/2=(d+1)/2−2. So now the left-hand side of EQ. (28) equals 2^(d)−3−(2^(d)−2^((d+1)/2)−1)=2^((d+1)/2)−2, while the right-hand side equals A+B=2^((d+1)/2)−3. B. A Lemma on Substitution

-   Lemma B.1 For a vector T:=(T₀, . . . , T_(d−1)) of free variables     distinct from X, let     ƒ(X,T):=X ² ^(d) +T _(d−1) X ² ^(d−1) +T _(d−2) X ² ^(d−2) + . . .     +T ₁ X ² +T ₀ X∈     ₂[X,T].     Let K be an extension field of     ₂, let a₀, . . . , a_(d−1)∈K, and write a:=(a₀, . . . , a_(d−1)).     Then the map on the dashed arrow at the bottom of the following     diagram is a well-defined homomorphism of rings, and the unique     homomorphism making the diagram commutative.

-   Proof. Let A and B be commutative, unital rings and let a⊆A and b⊆B     be ideals. Let ϕ:A→B be a homomorphism with ϕ(a)⊆b. Consider the     following diagram:

Since ϕ(a)⊆b, the kernel of the left vertical arrow, which is surjective, is contained in the kernel of the path →↓. Hence there exists a unique dashed homomorphism making the square commutative, and this homomorphism is given by a+a

ϕ(a)+b. Now the assertion of the lemma follows as a special case.

-   Remark B.2 Lemma B.1 is implicitly used in the main text in the     following way. Instead of calculating directly the image of (X² ^(r)     )^(i) uncle the right vertical arrow, which is the same as its image     under the path →↓, its image under the left vertical arrow is first     calculated, and then a is substituted for T, which is the action of     the button horizontal arrow. -   Remark B.3 In the proof of theorem 5.11 there is a use of a     two-stage substitution: first, polynomials a_(i)(X)∈     ₂[X] for X=(X₀, . . . , X_(d−1)) are substituted for the T_(i), and     then x₀, . . . , x_(d−1)∈     _(q) ₂ are substituted for the X_(i). This is justified by the     diagram below, in which each rectangle is commutative by exactly the     same argument as in the proof of Lemma B.1. In the diagram, x:=(x₀,     . . . , x_(d−1)), a(X):=(a₀(X), . . . , a_(d−1)(X)), and     a(x):=(a₀(x), . . . , a_(d−1)(x)). In addition, K is any extension     field of     ₂ (e.g., K=     _(q) ₂ ). 

What is claimed is:
 1. A method for repairing a single erasure in a Reed-Solomon (RS) code over a finite field F₂ ^(mr) with an evaluation set V={u₀=0, u₁, . . . , u_(n−1)} that is a subspace of size n=2^(d), for d<mr and divisible by m, wherein a normalized repair bandwidth b≈(n−1)/m and a number of information symbols is k<=2^(d)−2^(d−d/m), in a system of a plurality of n storage nodes and a controller, wherein a content c_(j) of each storage node i is an element of the finite field F₂ ^(mr) and each node stores a vector v whose entries are inverses of non-zero elements of the evaluation set V, the method comprising the steps of: identifying, by the controller, a failed storage node; transmitting, by the controller, an index j₀ of the failed storage node to each surviving storage node; multiplying, by each surviving storage node i, the content c_(i) of each said node i by a j-th component of vector w(i) wherein $j = {{j\left( {i,j_{0}} \right)} = \left\{ {\begin{matrix} j_{0} & {{{if}\mspace{14mu} j_{0}} < i} \\ {j_{0} - 1} & {{{if}\mspace{14mu} j_{0}} > i} \end{matrix},} \right.}$ wherein w(i)_(j(i,j) ₀ ₎:=v_(j′) for all i∈{0, . . . , j₀−1,j₀+1, . . . , n} is a permutation of elements of vector v that correspond to the surviving storage nodes, wherein j′ is a unique index in (1, . . . , n−1) such that u_(j′)=u_(j) ₀ +u_(i); determining a trace map of a result out_(i) of said multiplication and converting, by each surviving storage node, the result from an m×r bit representation into a reduced representation

of r bits; reconstructing, by the controller, content of the failed storage node from the reduced representation of each surviving node's content; and outputting the reconstructed content of the failed storage node.
 2. The method of claim 1, wherein j′ is calculated by the controller and transmitted to the surviving storage nodes.
 3. The method of claim 1, wherein each surviving storage node calculates j′ based on an index of each surviving storage node and an index of the failed storage node.
 4. The method of claim 1, wherein j′ is pre-calculated for each storage node.
 5. The method of claim 1, wherein multiplying, by each surviving storage node i, the content c_(i) of each said node i by a j-th component of vector w(i) comprises calculating, by each node i, i≠j₀, wherein j₀ is the identifier of the failed node, out_(i):=Tr(w(i)_(j(i,j) ₀ ₎·c_(i))=Σ_(a=0) ^(m−1)(w(i)_(j(i,j) ₀ ₎·c_(i))² ^(ar) .
 6. The method of claim 5, wherein converting the result from an m×r bit representation into a reduced representation of r bits comprises, when elements of field F₂ _(mr) are represented as length-m vectors in vector space (F₂ _(r) )^(m) according to a basis 1, α, . . . , α^(m−1) of F₂ _(mr) over F₂ _(r) , and transmitting, by each node i, i≠j₀, the first coordinate of out_(i) to the controller.
 7. The method of claim 5, wherein converting the result from an m×r bit representation into a reduced representation of r bits comprises, when elements of field F₂ _(mr) are represented as length-mr vectors of bits in vector space F₂ ^(mr) according to a basis 1, α, . . . , α^(mr−1) of F₂ _(mr) over F₂, wherein a is a primitive element of field F₂ _(mr) , transmitting, by each node i, i≠j₀, a product M≠out_(i) to the controller, wherein matrix M∈F₂ ^(r×mr).
 8. The method of claim 7, wherein matrix M∈F₂ ^(r×mr) is r rows of a matrix T∈F₂ ^(mr×mr) with indices supporting an r×r identity matrix in TM₁, wherein M₁∈F₂ ^(mr×r) is a matrix whose j-th column, j=0, . . . , m−1, is a length-mr binary representation of β^(j) according to a basis {1, α, . . . , α^(mr−L)) of field E over field F₂, E:=F₂ _(mr) , and β is a primitive element of field F₂ _(r) =F.
 9. The method of claim 1, wherein reconstructing content of the failed storage node from the reduced representation of each surviving node's content comprises: calculating t^(r)=(t₁, . . . , t_(m))^(T):=A′z^(T)∈(F′)^(m) using a matrix A′∈(F′)^(m×(n−1)), wherein F′:=F₂[X]ƒ(p₁(X)), wherein p₁(X) is a minimal polynomial of β, wherein vector z:=(z₁, . . . , z_(n−1))∈(F′)^(n−1) wherein z_(a)

for all a=1, . . . , n−1 and for i≠j₀ for which i′=a, wherein n is a total number of storage nodes and

, is the reduced representation of surviving node i's content; wherein matrix A′ is a matrix obtained by replacing each entry a_(ij) of A by Ma_(ij) when a_(ij) is regarded as a column vector in F₂ ^(mr) according a basis {1, α, . . . , α^(mr−1)) of F₂ _(mr) over F_(z), wherein matrix A∈F^(m×(n−1)) is a matrix with rows c₁, . . . , c_(m) that are m linearly independent vectors ∈F^(n−1) that complete a basis of C″ to be a basis of C′, wherein C′:=(c∈F^(n−1)|H′c^(T)=0}, the F-subfield subcode of the code with parity-check matrix H′, and C″:={c∈F^(n−1)|H″c^(T)=0), the F-subfield subcode of the code with parity-check matrix H″, ${{{{wherein}\mspace{14mu} H^{''}} \in E^{k \times {({n - 1})}}}:=\begin{pmatrix} v \\ H^{\prime} \end{pmatrix}},{{H^{\prime} \in E^{{({k - 1})} \times {({n - 1})}}}:={G^{\prime} \cdot \begin{pmatrix} v_{1} & \; & \; \\ \; & \ddots & \; \\ \; & \; & v_{n - 1} \end{pmatrix}}},{{G^{\prime} \in E^{{({k - 1})} \times {({n - 1})}}}:=\begin{pmatrix} u_{1} & \ldots & u_{n - 1} \\ u_{1}^{2} & \ldots & u_{n - 1}^{2} \\ \vdots & \ddots & \vdots \\ u_{1}^{k - 1} & \ldots & u_{n - 1}^{k - 1} \end{pmatrix}},$ (v₁, . . . , v_(n−1)) are elements of vector v, and (u₁, . . . , u_(n−1)) are non-zero elements of evaluation set V, and wherein matrix M∈F₂ ^(r×mr) is r rows of a matrix T∈F₂ ^(mr×mr) with indices supporting an r×r identity matrix in TM₁, wherein M₁∈F₂ ^(mr×r) is a matrix whose i-th column, j=0, . . . , m−1, is the length-mr binary representation of β^(i) according to the basis (1, α, . . . , α^(mr−1)) of E over F₂, wherein β is a primitive element of field F₂r=F and α is a primitive element of field F₂mr; embedding elements of t∈(F′)^(m) in field E:=F₂ _(mr) to obtain a vector w∈F^(m); and restoring the content of the failed storage node by calculating y_(i)=Σ_(a=1) ^(m)w_(a)x_(z), wherein (x₁, . . . , x_(m))⊂E form a dual basis for E over F with respect to a basis whose elements are entries of vector y=(y₁, . . . , y_(m))^(T):=Av^(T)∈E^(m).
 10. The method of claim 9, wherein embedding elements of t∈(F′)^(m) in E to obtain a vector w∈F^(m) comprises calculating w_(a):=M₁·t_(a) for a=1, . . . , m, wherein each coordinate t_(a) of t is represented as a length-r binary column vector according to the basis 1, β′, . . . (β′)^(r−1) of F′ over F₂, and outputting w:=(w₁, . . . , w_(m)), wherein each entry of w is a vector representation of an element of E, according to the basis (1, α, . . . , α^(mr−1)).
 11. A non-transitory program storage device readable by a computer, tangibly embodying a program of instructions executed by the computer to perform the method steps for repairing a single erasure in a Reed-Solomon (RS) code over a finite field F₂ ^(mr) with an evaluation set V={u₀=0, u₁, . . . , u_(n−1)} that is a subspace of size n=2^(d), for d<mr and divisible by m, wherein a normalized repair bandwidth b≈(n−1)/m and a number of information symbols is k<=2^(d)−2^(d−d/m), in a system of a plurality of n storage nodes and a controller, wherein a content c_(i) of each storage node i is an element of the finite field F₂ ^(mr) and each node stores a vector v whose entries are inverses of non-zero elements of the evaluation set V, the method comprising the steps of: identifying, by the controller, a failed storage node; transmitting, by the controller, an index j₀ of the failed storage node to each surviving storage node; multiplying, by each surviving storage node i, the content c of each said node i by a j-th component of vector w(i) wherein $j = {{j\left( {i,j_{0}} \right)} = \left\{ {\begin{matrix} j_{0} & {{{if}\mspace{14mu} j_{0}} < i} \\ {j_{0} - 1} & {{{if}\mspace{14mu} j_{0}} > i} \end{matrix},} \right.}$ wherein w(i)_(j(i,j) ₀ ₎:=v_(j′) for all i∈{0, . . . j₀−1,j₀+1, . . . , n} is a permutation of elements of vector v that correspond to the surviving storage nodes, wherein j′ is a unique index in (1, . . . , n−1) such that u_(j′)=u_(j) ₀ +u_(i): determining a trace map of a result out_(i) of said multiplication and converting, by each surviving storage node, the result from an m×r bit representation into a reduced representation

of r bits; reconstructing, by the controller, content of the failed storage node from the reduced representation of each surviving node's content; and outputting the reconstructed content of the failed storage node.
 12. The computer readable program storage device of claim 11, wherein j′ is calculated by the controller and transmitted to the surviving storage nodes.
 13. The computer readable program storage device of claim 11, wherein each surviving storage node calculates j′ based on an index of each surviving storage node and an index of the failed storage node.
 14. The computer readable program storage device of claim 11, wherein j′ is pre-calculated for each storage node.
 15. The computer readable program storage device of claim 11, wherein multiplying, by each surviving storage node i, the content c_(i) of each said node i by a j-th component of vector w(i) comprises calculating, by each node i, i≠j₀, wherein j₀ is the identifier of the failed node, out_(i) :=Tr(w(i)_(j(i,j) ₀ ₎ ·c _(i))=Σ_(a=0) ^(m−1)(w(i)_(j(i,j) ₀ ₎ ·c _(i))² ^(ar) .
 16. The computer readable program storage device of claim 15, wherein converting the result from an m×r bit representation into a reduced representation of r bits comprises, when elements of field F₂ _(mr) are represented as length-mr vectors in vector space (F₂ _(r) )^(m) according to a basis 1, α, . . . , α^(m−1) of F₂ _(mr) over F₂ _(r) , and transmitting, by each node i, i≠j₀, the first coordinate of out_(i) to the controller.
 17. The computer readable program storage device of claim 15, wherein converting the result from an m×r bit representation into a reduced representation of r bits comprises, when elements of field F₂ _(mr) are represented as length-mr vectors of bits in vector space F₂ ^(mr) according to a basis 1, α, . . . , α^(mr−1) of F₂ _(mr) over F_(F), wherein α is a primitive element of field F₂ _(mr) , transmitting, by each node i, i≠j₀, a product M·out_(i) to the controller, wherein matrix M∈F₂ ^(r×mr).
 18. The computer readable program storage device of claim 17, wherein matrix M∈F₂ ^(r×mr) is r rows of a matrix T∈F₂ ^(mr×mr) with indices supporting an r×r identity matrix in TM₁, wherein M₁∈F₂ ^(mr×r) is a matrix whose j-th column, j=0, . . . , m−1, is a length-mr binary representation of β^(j) according to a basis (1, α, . . . , α^(mr−1)) of field E over field F₂E:=F₂ _(mr) , and β is a primitive element of field F₂ _(r) =F.
 19. The computer readable program storage device of claim 11, wherein reconstructing content of the failed storage node from the reduced representation of each surviving node's content comprises: calculating t^(T)=(t₁, . . . , t_(m))^(T):=A′z^(T)∈(F′)^(m) using a matrix A′∈(F′)^(m×(n−1)), wherein F′:=F₂[X]ƒ(p₁(X)), wherein p₁(X) is a minimal polynomial of β, wherein vector z:=(z₁, . . . , z_(n−1))∈(F′)^(n−1) wherein z_(a):=

for all n=1, . . . , n−1 and for I≠j₀ for which j′=α, wherein n is a total number of storage nodes and

is the reduced representation of surviving node i's content; wherein matrix A′ is a matrix obtained by replacing each entry a_(ij) of A by Ma_(ij) when a_(ij) is regarded as a column vector in F₂ ^(mr) according a basis {1, α, . . . α^(mr−1)}of F₂ _(mr) over F₂, wherein matrix A∈F^(m×n−1)) is a matrix with rows c₁, . . . , c_(m) that are m linearly independent vectors ∈F^(n−1) that complete a basis of C″ to be a basis of C′, wherein C′:={c∈F^(n−1)|H′c^(T)=0}, the F-subfield subcode of the code with parity-check matrix H′, and C^(a):={c∈F^(n−1)|H″c^(T)=0}, the F-subfield subcode of the code with parity-check matrix H″, wherein ${{H^{''} \in E^{k \times {({n - 1})}}}:=\begin{pmatrix} v \\ H^{\prime} \end{pmatrix}},{{H^{\prime} \in E^{{({k - 1})} \times {({n - 1})}}}:={G^{\prime} \cdot \begin{pmatrix} v_{1} & \; & \; \\ \; & \ddots & \; \\ \; & \; & v_{n - 1} \end{pmatrix}}},{{G^{\prime} \in E^{{({k - 1})} \times {({n - 1})}}}:=\begin{pmatrix} u_{1} & \ldots & u_{n - 1} \\ u_{1}^{2} & \ldots & u_{n - 1}^{2} \\ \vdots & \ddots & \vdots \\ u_{1}^{k - 1} & \ldots & u_{n - 1}^{k - 1} \end{pmatrix}},$ (v₁, . . . , v_(n−1)) are elements of vector v, and (u₁, . . . , u_(n−1)) are non-zero elements of evaluation set V, and wherein matrix M∈F₂ ^(r×mr) is r rows of a matrix T∈F₂ ^(mr×mr) with indices supporting an r×r identity matrix in TM₁, wherein M₁∈F₂ ^(mr×r) is a matrix whose j-th column, j=0, . . . , m−1, is the length-mr binary representation of β^(j) according to the basis (1, α, . . . , α^(mr−1)) of E over F₂, wherein β is a primitive element of field F₂ _(r) =F and α is a primitive element of field F₂ _(mr) ; embedding elements of t∈(F′)^(m) in field E:=F₂ _(mr) to obtain a vector w∈F^(m); and restoring the content of the failed storage node by calculating y_(i)=y_(i)=Σ_(a=1) ^(m) w_(a)x_(a), wherein (x₁, . . . , x_(m))⊂E form a dual basis for E over F with respect to a basis whose elements are entries of vector y=(y₁, . . . , y_(m))^(T):=Av^(T)∈E^(m).
 20. The computer readable program storage device of claim 19, wherein embedding elements of t∈(F′)^(m) in E to obtain a vector w∈F^(m) comprises calculating w_(a):=M₁·t_(a) for a=1, . . . , m, wherein each coordinate t_(a) of t is represented as a length-r binary column vector according to the basis 1, β′, . . . , (β′)^(r−1) of F′ over F₂, and outputting w:=(w₁, . . . , w_(m)), wherein each entry of w is a vector representation of an element of E, according to the basis (1, α, . . . , α^(mr−1)). 